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INTRODUCTION 


The  MIT  Laboratory  for  Computer  Science  (LCS)  is  an  interdepartmental 
laboratory  whose  whose  principal  goal  is  research  in  computer  science  and 
engineering. 

Founded  in  1963  as  Project  MAC  (for  Multiple  Access  Computer  and  Machine 
Aided  Cognition),  the  Laboratory  developed  the  Compatible  Time-Sharing  Systems 
(CTSS),  one  of  the  first  time-shared  systems  in  the  world,  and  Multics  ••  an  improved 
time-shared  system  that  introduced  several  new  concepts.  These  two  major 
developments  stimulated  research  activities  in  the  application  of  on-line  computing 
to  such  diverse  disciplines  as  engineering,  architecture,  mathematics,  biology, 
medicine,  library  science,  and  management.  Since  that  time,  the  Laboratory’s 
objectives  expanded,  leading  to  research  across  a  broad  front  of  activities. 

The  first  such  area  entitled  Knowledge  Based  Systems,  involves  making  programs 
more  intelligent  by  capturing,  representing,  and  using  knowledge  which  is  specific  to 
the  problem  domain.  Examples  are  the  use  of  expert  medical  knowledge  for 
assistance  in  diagnosis  carried  out  by  the  Clinical  Decision  Making  Group;  and  the 
use  of  solid-state  circuit  design  knowledge  for  an  expert  VLSI  (very  large  scale 
integration)  design  systems  by  the  VLSI  Design  Project. 

*  Research  in  the  second  and  largest  area  entitled  Machines.  Lanauaoes.  and 
Systems,  strives  to  discover  and  understand  computing  systems  at  both  the 
hardware  and  software  levels  that  open  new  application  areas  and/or  effect  sizable 
improvements  in  their  ease  of  utilization  and  cost  effectiveness.  New  research  in  this 
area  includes  the  architecture  of  very  large  multiprocessor  machines  (which  tackle  a 
single  task,  e  g.,  speech  understanding  or  weather  analysis)  by  the  Computation 
Structures,  Functional  Languages  and  Architectures,  and  Real  Time  Systems 
Research  Groups.  Continuing  research  includes  the  analysis  and  synthesis  of 
languages  and  operating  systems  for  use  in  large  geographically  distributed  systems 
by  the  Programming  Methodology  and  Real  Time  Systems  Groups.  Extended 
networks  for  such  distributed  environments  are  studied  by  the  Computer  Systems 
and  Communications  Group,  while  distributed  file  servers  are  pursued  by  the 
Distributed  Computer  Systems  Group.  Finally  a  key  application,  involving  the 
tailoring  of  news  and  other  community  information  to  individual  needs,  is  pursued  by 
the  Imaginative  Systems  Group. 

The  Laboratory's  third  principal  area  of  research,  entitled  Theory,  involves 
exploration  and  development  of  theoretical  foundations  in  computer  science.  For 
example,  the  Theory  of  Computation  Group  strives  to  understand  ultimate  limits  in 
space  and  time  associated  with  various  classes  of  algorithms:  the  semantics  of 
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programming  languages  from  both  analytical  and  synthetic  view-  points;  the  logic  of 
programs;  and  the  links  between  mathematics  and  the  privacy/authentication  of 
computer-to-comouter  messages.  Other  examples  of  work  in  this  area  involve  the 
study  of  distributed  systems,  by  the  Theory  of  Distributed  Systems  Research  Group, 
and  routing  algorithms  for  VLSI  circuits. 

The  fourth  area  of  research  entitled  Computers  and  People,  entails  societal  as  well 
as  technical  aspects  of  the  interrelationships  between  people  and  machines. 
Examples  include  the  use  of  computers  in  the  educational  process  by  the 
Educational  Computing  Group;  the  use  of  interconnected  computers  for  planning;  as 
well  as  the  societal  impact  of  computers  carried  out  by  the  Societal  Implications 
Research  Group. 

During  1983-1984,  the  Laboratory  embarked  on  the  ambitious  project  of 
constructing  Project  Tanglewood,  an  emulation  facility  consisting  of  64 
interconnected  large  computers,  whose  purpose  is  to  analyze  the  behavior  of  larger 
(up  to  several  thousand  machines)  multiprocessor  systems.  This  facility,  funded  by 
the  newly  formed  Strategic  Computing  Program  of  the  Defense  Advanced  Research 
Projects  Agency,  will  enable  our  experimenters  to  try  out  ideas  before  committing 
their  proposed  architectures  to  silicon  circuits.  Another  related  development  during 
this  period  has  been  the  continuing  development  of  the  MultiLisp  multiprocessor 
language  by  Professor  Robert  Halstead  of  the  Real  Time  Systems  Group.  A 
multiprocessor  applications  workshop  sponsored  by  members  of  the  Laboratory  was 
held  in  Spring  1984  to  establish  the  amount  of  parallelism  that  can  be  expected  in  a 
variety  of  applications. 

Another  growth  activity  during  1983-84  has  been  the  newly  established 
Educational  Computing  Group  which  is  now  headed  by  Dr,  Andrea  diSessa  and 
includes  Professors  Harold  Abelson,  Seymour  Papert,  and  Dr.  Sylvia  Weir.  This 
group,  which  in  tne  last  12  years  developed  the  widely  used  language  LOGO,  is 
currently  focusing  its  efforts  on  the  development  of  Boxer,  a  successor  to  LOGO  that 
encompasses  new  concepts  in  the  computer  and  cognitive  sciences  and  in 
educational  innovation. 

During  this  reporting  period  we  have  also  made  substantial  progress  in  distributed 
systems  research.  The  NuBus  architecture  that  we  developed  was  successfully 
transferred  to  industry  (Texas  Instruments)  and  we  took  delivery  of  30  Texas 
Instruments  Nu  Machines  supplied  to  us  in  exchange  for  our  contributions.  These 
and  other  related  machines  (single-user  Vaxes  and  Lisp  Machines)  are  being 
interconnected  into  prototype  interconnected  systems  within  the  Laboratory  thereby 
forming  an  experimental  basis  for  the  study  of  distributed  systems.  During  the 
Spring  of  1984,  key  researchers  in  distributed  systems  presented  their  results  to 
some  400  attendees  in  an  ILP-sponsored  conference. 
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During  1983-84,  the  Laboratory  formed  two  new  entities  ••  the  Distributed 
Computer  Systems  Research  Group  and  the  VLSI  Design  Project.  The  first  entity, 
headed  by  Senior  Research  Scientist  Dr.  David  D.  Clark  is  concerned  with  the 
architecture  of  distributed  systems  and  in  particular  with  fife  servers  and 
communication  protocols.  The  second  entity,  headed  by  Professors  Charles 
Leiserson  and  Richard  Zippol,  is  intended  to  coalesce  and  focus  the  various  VLSI 
design  activities  within  LCS.  A  key  research  activity  of  the  VLSI  Design  Project  is  the 
study  and  development  of  an  expert  VLSI  design  system,  Schema,  which  will  be  used 
as  a  common  basis  for  all  MIT  VLSI  design  research. 

Other  events  in  1983-84  were  the  arrival  of  three  IBM  engineers  who  will  help  us 
construct  the  Laboratory's  Emulation  Facility;  and  the  launching  of  the  Laboratory's 
bimonthly  newsletter  The  Gateway. 

In  1984,  the  Laboratory  issued  the  LCS  Achievement  Award  to  Professor  Joel 
Moses  for  his  pioneering  work  on  MACSYMA;  and  tho  one-time  LCS  Founder’s 
Award  to  the  founder  of  LCS  (then  Project  MAC)  Professor  Robert  M.  Fano. 
Professor  Fano  will  be  retired  effective  July  1984,  but  will  remain  a  part  time  member 
of  tho  Laboratory.  Other  departures  during  1983-84  included  Professor  Christos 
Papadirnitriou  (to  Stanford)  and  Professor  Michael  Hammer  (to  his  own  company). 

Arrivals  in  tire  same  period  were  Assistant  Professors  Shafi  Goldwasser,  Silvio 
Micali,  Ramesh  Pntil,  Christopher  Terman,  and  Research  Associates  William 
Ackerman  and  Benjamin  Kuipers.  Our  Laboratory  consisted  of  340  members  ■■  53 
faculty  and  academic  research  staff,  30  visitors  and  visiting  faculty,  57  professional 
and  support  staff,  110  graduate  and  90  undergraduate  students  --  organized  into  16 
research  groups.  Laboratory  research  during  1983  84  was  funded  by  16 
governmental  and  industrial  organizations,  of  which  the  Defense  Advanced 
Research  Projects  Agency  of  the  Department  of  Defense  provided  over  half  of  the 
total  research  funds. 

Technical  results  of  our  icsearch  in  1083  84  were  disseminated  through 
publications  in  technical  literature,  through  Technical  Reports  (TH209- TR3I7),  and 
through  Technical  Memoranda  (TM238  TM262). 
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communication.  People  use  models  of  their  conversational  partners,  models  that 
contain  ideas  of  the  other's  knowledge  and  beliefs,  in  order  to  determine  the  correct 
context  of  the  conversation.  Any  computer  system  that  engages  in  intelligent 
discourse  will  have  to  have  a  similar  model  of  the  user,  and  it  will  have  to  be  able  to 
derive  this  model.  Our  plan  is  to  build  a  prototype  system  that  forms  this  model  much 
in  the  same  way  that  people  do.  through  past  experiences  with  the  user,  making 
assumptions  about  common  knowledge  where  specific  knowledge  fails. 

3.4.  Research  Plan 

We  plan  to  continue  work  on  both  the  Heart  Failure  Project  and  the  Ventricular 
Arrhythmia  Management  Advisor  Project.  Also,  our  current  work  on  user  modeling 
will  continue,  and  we  hope  to  have  a  more  complete  definition  of  the  initial  model 
and  to  begin  a  computer  implementation  during  the  coming  year.  In  addition,  we 
plan  to  begin  development  of  an  experimental  environment  where  we  can  test  our 
theories  on  actual  student  users.  We  are  currently  trying  to  select  the  appropriate 
application  area  for  this;  initially,  it  must  be  a  program  whose  medical  expertise  is 
more  limited  and  easier  to  build  than  the  two  major  projects  descr  ibed  above,  so  that 
wc  may  have  a  testbed  in  the  relatively  near  future. 

4.  DEVELOPMENT  OF  TOOLS  FOR  CLINICAL  DECISION 
ANALYSIS 

4.1.  Executive  Summary 

In  this  subproject,  the  investigators  have  been  developing  and  modifying  a 
microcomputer  program  to  perform  clinical  decision  analysis.  The  program 
presumes  the  user  is  familiar  with  the  basic  principles  of  decision  analysis 
(formulating  problems  as  decision  trees,  assigning  likelihoods  (probabilities)  and 
relative  values  [utilities],  and  interpreting  the  results  of  systematic  variations  in  the 
values  of  single  parameters  or  sets  of  parameters  [sensitivity  analyses).  The  program 
allows  the  users  to  efficiently  specify  and  analyze  such  decision  problems.  In  the 
course  of  the  first  twelve  months  of  the  project,  the  program  lias  been  rewritten  in 
several  different  environments  to  explore  its  extensibility  and  to  improve  it  ease  of 
use.  We  have  directed  our  etfoits  entirely  at  the  IBM  PC  personal  computer  because 
it  has  the  lion's  share  of  the  microcomputer  market.  The  onginal  program  is  written 
in  UCSD  Pascal.  That  system,  with  its  compact  P  code  representation  was 
necessary  to  "fit"  the  program  into  a  microcomputer.  Two  more  recently  developed 
programming  environments  that  can  use  larger  amounts  of  memory  (IQLISP  and 
Turbo  Pascal'  have  been  usi  d  to  provide  veisions  that  do  not  require  the  user  to 
purchase  the  expensive  P  systcm  and  version  that  are  compiled,  pi  educing  a  five  to 
twenty  fold  increase  in  processing  speed.  In  the  past  ycai  v.o  have  also  enlarged  our 
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depth,  it  is  going  to  have  to  use  context  in  both  unders, :  nding  the  user  and  in  order 
to  provide  appropriate  responses.  Then  it  follows  that  the  system  is  going  to  need  a 
model  of  the  user's  knowledge  and  beliefs  in  order  to  provide  the  required  context 
[5],  Two  currently  open  problems  with  user  models  are  how  must  the  system’s 
model  of  the  user  change  as  the  discourse  progresses,  and  where  does  the 
information  in  the  model  come  from  in  the  first  place? 

A  good  deal  of  active  research  is  currently  attacking  the  first  of  these  open 
questions,  especially  from  the  end  of  understanding  user  statements.  Examples  of 
ongoing  work  include  that  of  Pollack[9],  Carberry[1]  and  Granger[2],  However,  no 
one  has  proposed  a  theory  with  which  a  system  can  initially  create  or  derive  a  model 
of  the  user.  This  is  the  problem  that  is  being  addressed  in  this  project. 

The  solution  proposed  here  is  based  on  a  theory  of  the  way  people  derive  their 
models  of  others  for  discourse.  In  general,  we  know  what  we  know  and  believe,  and 
more  importantly,  we  have  an  idea  how  common  this  knowledge  and  these  beliefs 
are.  When  l  meet  an  adult.  I  assume  ne  knows  the  difference  between  red  and  green, 
since  I  believe  this  is  common  knowledge  learned  while  very  young,  but  I  would  not 
assume  he  is  necessarily  familiar  with  Fillmore's  case  grammar  theory,  because  I 
believe  only  people  with  a  special  interests  in  linguistics  have  studied  case  grammar, 
and  that  not  everyone  is  that  interested  in  the  subject.  On  the  other  hand,  if  I  am 
introduced  to  someone  and  am  told  as  part  of  the  introduction  that  the  person  is  a 
linguist.  I  would  expect  him  to  be  at  least  aware  of  Fillmore's  work.  If  I  believe  that 
there  is  a  little  green  frog  in  the  bottom  drawer  ol  my  desk  that  created  the  universe.  I 
might  tenaciously  hold  this  belief,  but  I  would  also  recognize  that  the  vast  majority  of 
people,  for  whatever  reason,  do  not  share  this  view. 

In  other  words,  it  seems  that  the  initial  model  we  form  of  a  person  for  discourse 
purposes  is  the  first  impression  (for  the  present  meeting)  we  have  of  that  person. 
Obviously,  the  more  information  we  have,  the  more  accurate  the  impression.  Upon 
meeting  an  intimate  friend,  our  model  would  be  fairly  elaborate  and  accurate. 
Meeting  a  stranger  for  the  first  time  would  allow  us  to  form  only  a  vague  model  based 
on  what  we  believe  is  common  to  the  average  person. 

Computationally,  tlvs  suggests  a  hierarchical  default  mechanism  for  generating  a 
user  model.  Each  specific  piece  of  information  known  about  the  user,  either  from 
previous  encounters  or  from  being  told,  can  be  entered  directly  into  the  model.  Other 
pieces  can  receive  default  values  from  what  the  system  believes  to  be  common 
knowledge  or  average  values.  Obviously,  the  system  would  need  to  keep  track  of 
what  is  actually  known  and  what  is  being  assumed  about  the  user.  As  more 
information  is  learned  about  the  user  through  discourse,  default  values  can  be 
replaced  with  actual  facts. 

In  conclusion,  we  have  seen  that  context  is  essential  for  meaningful 
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utterances  will  be  understood.  Telling  a  patient  suspected  of  having  leukemia  that 
the  test  results  were  positive,  meaning  that  the  results  were  positively  conclusive  or 
that  they  were  favorable,  would  be  incorrect  because  in  this  context  positive  means 
that  the  illness  being  tested  for  is  present. 

But  context  is  more  important  than  avoiding  the  misinterpretation  of  statements.  If 
somehow  the  speaker  and  hearer  can  agree  on  the  context  for  the  discourse,  both 
people's  jobs  are  made  easier.  Whatever  is  in  the  agreed  context  can  be  taken  for 
granted  in  that  both  participants  know  of  its  existence  and  understand  it.  Then 
conversation  can  be  restricted  to  those  statements  that  somehow  provide 
information  that  is  not  yet  in  the  agreed  context.  This  allows  the  speaker  to  follow  the 
tenets  of  conversation  observed  by  Grice[3].  And  if  we  needed  to  describe  every 
concept  each  time  we  mentioned  it,  we  would  literally  never  be  able  to  finish  a 
thought,  since  every  concept  used  to  describe  the  initial  idea  would  itself  have  to  be 
described,  and  each  of  the  items  used  in  those  descriptions  would  have  to  be 
described,  and  so  forth. 

Accepting  that  context  is  essential  for  discourse,  we  might  ask  exactly  what  do  we 
require  to  be  in  the  context?  As  a  speaker,  we  need  not  only  every  piece  of 
information  we  know  that  might  affect  what  we  want  to  say.  but  also  how  each  piece 
will  affect  the  interpretations  of  our  statements  for  the  hearer.  And  as  a  hearer,  we 
need  to  know  what  effects  the  speaker  meant  to  have  by  his  statements.  In  other 
words,  in  addition  to  knowing  what  we  know  and  believe  concerning  the  topic  of 
conversation,  we  have  to  know  (or  least  have  an  idea  of)  what  the  other  person 
knows  and  believes.  Since  we  cannot  infallibly  know  what  is  in  another’s  head,  at 
best  we  can  have  a  model  of  the  knowledge  and  beliefs  of  our  partner  in 
conversation. 

We  use  models  of  others'  knowledge  and  beliefs  at  all  stages  when  we  engage  in 
communication.  It  is  used  when  we  are  determining  what  is  appropriate  to  say.  For 
example,  if  you  were  stopped  in  the  streets  by  someone  in  a  car  with  out  of  state 
plates  and  the  driver  asked  you  directions  to  a  local  famous  site,  you  would  probably 
not  give  directions  based  on  the  location  of  other  sites  that  would  be  well  known  to 
residents,  but  not  to  tourists.  This  is  because  in  this  situation  you  believe  the  driver 
generally  doesn't  know  her  way  around  town.  On  the  other  hand,  if  you  were  giving 
directions  to  a  friend  whom  you  know  to  hove  lived  in  this  city  for  years,  you  would 
use  local  landmarks  because  you  believe  she  is  familiar  with  them. 

Models  are  also  used  in  determining  an  appropriate  way  to  make  a  statement.  To 
use  the  same  example,  one  might  say  to  a  resident  of  Boston,  "Go  to  the  Hancock 
and  turn  left,"  whereas  to  a  tourist  a  more  appropriate  statement  would  be  "Go  to 
that  tall  glass  building  and  turn  left." 

If  a  computer  system  is  ever  going  to  engage  in  a  discussion  of  any  significant 
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determination  of  the  appropriate  recommendation  depends  on  the  assessment  of 
costs  of  the  two  conditions  and  the  assessment  of  their  likelihoods.  The  reasoning 
that  leads  to  the  actual  therapy  recommendation  can  be  made  more  general  by 
including  explicitly  the  risk-benefit  analysis  that  supports  it.  This  strategy  simplifies 
several  problems.  Inclusion  of  new  therapies  involves  changing  the  assessment  of 
costs  to  reflect  the  particular  characteristics  of  the  therapy.  Changes  in 
understanding  about  the  properties  of  a  therapy  either  because  of  new  medical 
knowledge  or  a  different  school  of  thought  are  similarly  incorporated  as  changes  in 
the  assessments  or  as  changes  in  the  strategies  for  optimizing  the  achievement  of 
therapeutic  goals. 

Over  the  past  year  our  work  on  this  project  has  centered  on  the  gathering  of  case 
material  to  test  both  an  initial  trial  program  for  arrhythmia  advice  and  for  the 
development  of  the  appropriate  design  for  the  Advisor.  The  case  material  includes  a 
complete  record  of  the  minute-by-minute  arrhythmia  data  from  an  arrhythmia 
monitor  as  well  as  the  clinical  information  needed  to  follow  the  disease  state  and  the 
record  of  therapeutic  interventions.  On  a  few  cases  we  have  also  been  able  to 
obtain  drug  level  information  for  verifying  pharmacokinetic  models.  So  far  we  have 
collected  data  on  44  cases.  This  case  material  is  not  as  detailed  as  we  will  ultimately 
need  for  verifying  particular  assessment  algorithms,  but  it  is  serving  us  well  for 
developing  the  initial  design. 


3.3.  User  Models  in  Discourse 

The  problem  of  modeling  what  the  user  knows  already  and  wants  to  know  is 
difficult.  During  the  past  year  we  have  begun  to  concentrate  on  one  aspect  of  this 
problem:  the  role  of  conversational  context  in  generating  appropriate  text. 

When  engaging  in  communication,  it  is  important  to  know  the  context  in  which 
statements  are  being  made.  This  is  equally  true  for  the  speaker  and  the  hearer.  (Or 
the  writer  and  the  reader.  We  will  not  distinguish  between  oral  and  written 
communication  here  unless  we  do  so  specifically  by  exception.)  It  is  necessary  for 
the  hearer  to  know  the  context  in  which  statements  are  being  made  in  order  to  fully 
understand  them.  For  example,  consider  the  sentence  "The  test  result  was 
positive."  In  the  context  of  a  qualifying  exam,  this  statement  made  to  the  candidate 
would  be  cause  for  celebration.  On  the  otner  hand,  this  statement  made  to  a  patient 
being  tested  for  leukemia  has  a  completely  different  meaning.  And  the  statement 
made  to  two  brothers  who  are  trying  to  see  if  one  can  donate  a  kidney  to  the  other 
has  yet  a  third  meaning.  It  is  easy  to  come  up  with  many  contexts  for  which  this 
statement  has  a  new  meaning  It  is  obviously  important  for  the  hearer  to  know  the 
context  in  which  an  utterance  is  made. 

It  is  equally  important  for  the  speaker  to  be  aware  of  the  context  in  which  his 


17 


CLINICAL  DECISION  MAKING 


alternative  relations  that  might  exist  in  the  patient.  This  kind  of  flexibility  is  possible 
because  the  model  provides  a  consistent  physiological  explanation  of  what  is  known 
about  the  patient.  Modifications  to  that  representation  are  supported  by  a  Truth 
Maintenance  System  that  propagates  the  implications  throughout  the  model.  Thus, 
if  there  are  inconsistencies  in  the  deduced  state,  these  will  be  pointed  out  by  the 
system  along  with  the  alternatives  for  correcting  them.  These  mechanism  makes  it 
possible  for  the  user  to  realistically  consider  changes  in  the  conclusions  of  the 
system  and  to  tailor  the  reasoning  to  whatever  the  user  knows  about  the  patient. 

Over  the  past  year  we  have  made  significant  strides  in  the  development  of  the  heart 
failure  program.  To  explore  the  important  representational  issues,  we  are  initially 
developing  the  model  on  a  subset  of  the  domain— the  problem  of  managing  angina 
in  the  context  of  possible  heart  failure.  We  have  put  together  a  causal  model  for  this 
subdomain  that  includes  about  fifty  nodes  related  as  definite  and  possible  causal 
factors  and  worsening  (predisposing)  factors.  With  this  model  we  are  developing 
general  strategies  for  the  assessment  of  evidence  from  the  patient  findings, 
strategies  for  pursuing  a  diagnosis,  and  strategies  for  finding  and  assessing  therapy 
choices.  A  working  version  of  this  program  has  given  us  new  understanding  of  some 
of  the  needs  for  explanation  and  the  necessary  ingredients  for  a  useful  explanation 
over  the  last  few  months. 

3.2.  The  Ventricular  Arrhythmia  Management  Advisor 

The  problem  of  generalizing  the  strategics  for  therapy  management  are  being 
addressed  by  the  Ventricular  Arrhythmia  Management  Advisor.  The  domain  of  the 
program  is  the  control  of  ventricular  arrhythmias  in  the  context  of  the  intensive  care 
unit.  Many  of  these  arrhythmias  occur  as  a  result  of  ischemia  but  there  are  also  a 
number  of  other  causes  as  well  as  factors  that  may  worsen  the  problem.  The  therapy 
for  these  arrhythmias  is  of  two  types.  Either  it  is  directed  at  the  arrhythmia  itself  or  it 
is  directed  at  the  cause.  The  arrhythmia  therapies  commonly  employed  include 
lidocaine,  procainamide,  quinidine,  bretylium,  and  others.  The  determination  of 
which  drug  is  appropriate  in  an  individual  is  primarily  done  by  trial  and  error.  Thus, 
several  may  be  tried  before  an  acceptable  patient  response  is  achieved.  These  are 
al!  drugs  with  multiple  compartment  pharmacokinetic  models,  high  interpatient 
variability,  narrow  therapeutic  windows,  and  high  incidence  of  toxicity.  Thus,  it  is  an 
excellent  domain  in  which  to  consider  the  issues  of  generalization  of  patient 
management  strategies. 

Our  approach  to  generalization  is  to  look  for  the  underlying  unifying  concepts  that 
run  through  the  patient  management  process.  For  example,  in  adjusting  the  dosage 
of  a  drug  for  anticipated  sensitivities,  the  physician  is  actually  going  through  a 
particular  instance  of  risk-benefit  analysis  in  which  the  risk  is  the  likelihood  of 
toxicity  and  the  benefit  is  the  likelihood  of  control  of  the  arrhythmia.  The 
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3.1.  The  Heart  Failure  Project 

The  Heart  Failure  Project  has  been  particularly  fruitful  for  developing  a  model  of 
user  access  and  control  over  the  reasoning  process.  The  central  observation  in  the 
development  of  a  design  for  this  program  is  that  much  of  the  reasoning  that  supports 
both  diagnosis  and  therapeutic  decisions  is  based  on  the  particular  complex  of 
disease  processes  and  physiological  compensations  exhibited  by  the  patient.  The 
most  obvious  way  to  produce  similar  kinds  of  reasoning  in  a  computer  program  is  to 
do  the  reasoning  from  a  physiological  representation  of  the  understanding  of  the 
patient's  state.  Thus  we  are  developing  a  program  that  has  at  the  center  a 
qualitative  causal  physiological  model  of  the  factors  related  to  heart  failure,  which 
can  represent  what  is  known  about  the  patient  state.  This  model  is  used  for 
understanding  the  significance  of  the  findings,  reasoning  about  the  possible 
diagnoses,  reasoning  about  appropriate  therapies,  and  providing  explanations  for  all 
of  these  kinds  of  reasoning. 

A  physiological  model  centered  approach  to  the  patient  management  process 
gives  a  user  access  not  only  to  the  reasoning  of  the  program  but  also  to  the 
justifications  for  the  reasoning.  That  is,  it  is  possible  for  the  user  to  examine  and 
explore  the  physiological  relationships  concluded  by  the  program  and  used  to 
support  the  recommendations.  For  example,  if  the  program  suggests  the  use  of  an 
arterial  vasodilator  to  increase  the  cardiac  output,  the  physiological  model  would 
provide  a  consistent  picture  of  why  the  recommendation  is  appropriate.  This  would 
include  facts  such  as  evidence  of  vasoconstriction  caused  by  a  high  sympathetic 
state  and  therefore  the  likelihood  that  the  cardiac  output  would  increase  rather  than 
causing  the  arterial  pressure  to  decrease.  In  addition  the  model  provides  the  user 
with  the  reasons  for  being  cautious  in  giving  such  a  therapy  since  a  possible 
alternative  result  is  for  the  arterial  pressure  to  drop. 

The  most  important  consideration  in  developing  a  physiological  model  for 
supporting  this  kind  of  reasoning  is  to  provide  the  relationships  at  the  appropriate 
physiological  level.  From  our  exploration  of  the  heart  failure  domain  it  appears  that 
the  level  needed  for  reasoning  and  for  explanation  are  the  same.  It  also  appears  that 
a  single  level  which  includes  the  hemodynamic  relationships  in  the  cardiovascular 
system  is  adequate  for  this  domain.  This  is  not  so  in  other  domains,  as  pointed  out 
by  Patil  in  the  acid  base  domain,  but  the  single  level  in  this  domain  simplifies  the 
problem  for  exploring  other  issues  of  diagnosis  and  management  reasoning. 

The  physiological  model  also  makes  it  possible  for  the  user  to  exert  control  over 
the  reasoning  process.  We  have  observed  that  the  user  many  times  is  better  able  to 
assess  physiological  states  of  the  patient  than  a  program  that  has  a  limited 
perspective  on  the  problem  and  only  the  ability  to  ask  questions  of  the  user.  Thus, 
our  intention  is  to  collaborate  with  the  user  in  the  reasoning  process  and  give  the 
user  the  ability  to  make  hypotheses,  change  conclusions,  and  in  general  to  test  the 
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The  diagnostic  system  at  Tufts  employs  an  Evoker  module  that  is  modeled  after  the 
categorical  aspects  of  the  Present  Illness  Program  developed  here  [7],  Its  purpose  is 
to  evoke  a  collection  of  elementary  hypotheses,  which  are  then  assembled  by  a  build 
module,  into  patient-specific  hypotheses.  Given  a  set  of  active  hypotheses  the 
system  must  choose  diagnostic  testing  for  the  confirmation  of  these  hypotheses.  We 
will  be  investigating  the  implementation  of  a  test  planning  module  that  will  employ 
the  reasoning  processes  that  expert  physicians  use  in  their  pursuit  of  medical 
diagnostic  and  therapeutic  strategies. 

3.  EXPLANATION  AND  JUSTIFICATION  BY  EXPERT  PROGRAMS 

This  section  focuses  on  the  development  of  improved  explanation  and  justification 
methods  for  the  Digitalis  Therapy  Program  and  the  extension  of  these  methods  to 
other  problem  domains.  Our  views  of  both  the  Digitalis  Therapy  Advisor  and  of  how 
best  to  accomplish  the  objectives  outlined  in  the  proposal  have  evolved  over  the  last 
four  years.  With  the  increased  use  of  a  large  variety  of  drugs  in  addition  to  digitalis 
in  many  conditions  for  which  digitalis  was  used  almost  exclusively,  it  has  become 
obvious  that  a  successful  program  must  deal  with  a  larger,  coherent  management 
problem  rather  than  concentrate  on  the  use  of  a  single  drug.  Therefore,  the  context 
of  this  research  has  broadened  to  encompass  two  logical  outgrowths  of  our  early 
work  on  digitalis.  The  first  of  these  is  the  Heart  Failure  Project.  The  objective  of  this 
project  is  to  help  the  user  reason  about  the  diagnosis  and  management  of  heart 
failure  by  relating  the  findings  to  the  possible  pathophysiology  that  might  be 
responsible.  This  project  is  an  outgrowth  of  the  observation  in  the  Digitalis  Therapy 
Advisor  that  it  is  difficult  to  relate  the  changes  in  the  digitalis  levels  to  the  changes  in 
the  heart  failure  manifestations  without  taking  into  account  the  other  therapies  that 
might  be  involved  and  the  particular  nature  of  the  heart  failure  in  the  patient.  The 
second  project  is  the  Ventricular  Arrhythmia  Management  Advisor.  This  project 
extends  the  idea  of  computer  assisted  therapy  management  to  the  management  of  a 
class  of  disease  situations  where  any  of  a  number  of  therapies  might  be  applicable. 

These  two  projects  have  given  us  a  clearer  understanding  of  the  problems  of 
giving  the  user  useful  explanations  of  the  reasoning  and  advice  of  such  programs. 
In  particular  we  have  been  making  significant  strides  over  the  past  year  to  design 
programs  where  the  user  has  access  to  the  disease,  physiological,  and  therapeutic 
relationships  behind  the  advice  given  by  the  program.  One  important  benefit  of  the 
explicit  representation  of  these  relationships  is  that  it  promises  to  let  us  build 
systems  wherein  the  user  has  a  much  larger  degree  of  control  over  the  reasoning 
process  and  the  conclusions  reached  by  the  program.  The  program  thus  becomes 
more  a  "reactive  blackboard"  on  which  the  user  can  try  out  various  ideas,  rather 
than  the  more  traditional  expert  decision  maker.  Finally,  the  changes  needed  to 
allow  our  programs  to  deal  with  larger  disease  classes,  in  which  there  are  significant 
therapy  choices  to  be  made,  also  simplify  the  addition  of  new  therapy  modalities. 
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2.3.  Plans  For  The  Coming  Year 

Completing  the  Validation  of  the  Model  of  the  Reasoning  Process  and 
Additional  Transcript  Analysis:  We  plan  to  complete  the  evaluation  of  the 
model's  completeness  and  generality  utilizing  an  existing  rule  system  to  simulate  the 
decisions  being  made  in  the  transcript.  EMYCIN,  [8]  a  domain  inoepenaent  rule 
system  will  accept  the  set  of  rules  that  we  derived  from  the  transcript  and 
systematically  apply  them  until  a  goal  attribute  is  established,  the  system  exhausts 
the  rules,  or  the  rules  that  we  derived  fail.  Our  goal  attribute  is  the  same  cnoice  of 
action  that  our  expert  physician  chose.  The  adequacy  of  the  knowledge  encoded  by 
these  rules  will  be  assessed  by  applying  them  to  similar  management  problems  but 
with  a  slightly  different  context.  The  degree  to  which  we  must  append  the  set  of 
rules  to  establish  our  goal  will  be  a  measure  of  their  adequacy. 

As  a  means  of  establishing  empiric  validity  of  our  model  of  an  expert  physician’s 
reasoning  processes,  we  will  be  analyzing  transcripts  of  the  same  physician,  solving 
problems  on  a  case  in  a  less  familiar  clinical  domain.  We  suspect  that  similar 
reasoning  processes  are  employed  for  decisions  with  clinical  problems  that  can  be 
structured  in  a  similar  fashion. 

We  also  have  collected  several  other  transcripts  from  other  expert  level  physicians 
with  other  areas  of  expertise  than  the  present  physician-subject.  We  will  be 
evaluating  these  transcripts  in  the  manner  described  above.  The  process  will  allow 
us  to  assess  the  similarities  and  differences  in  the  reasoning  processes  employed  by 
expert  physicians  with  different  areas  of  expertise,  for  problems  both  in  and  out  of 
their  domain  of  expertise.  We  will  be  looking  to  establish  whether  the  same 
theoretical  model  of  the  reasoning  process  found  for  the  pulmonologist  is  employed 
by  other  physicians  facing  the  same  decision. 

We  are  interested  in  characterizing  the  development  of  clinical  cognition. 
Specifically  we  would  like  to  follow  the  ontogeny  of  probabilistic  reasoning  and  the 
development  of  reasoning  tools  for  making  tradeoffs  in  the  risks  imposed  by 
diagnostic  tests  and  therapy.  We  will  start  to  collect  transcripts  of  physicians  at 
various  stages  of  their  training  (3rd  year  and  4th  year  medical  students,  2nd  year 
Internal  Medicine  residents  and  medical  sub-specialty  fellows),  as  they  solve  the 
same  problems  posed  to  our  expert  level  physicians. 

Developing  a  Computational  Model  of  the  Decision  Process:  Understanding 
the  structure  of  knowledge  and  problem-solving  methods  that  underlie  clinical 
expertise  will  have  a  significant  impact  on  the  design  of  knowledge-based  artificial 
intelligence  systems  in  medicine.  We  have  begun  to  investigate  putting  together 
resuits  of  our  study  of  expert  clinical  reasoning  with  a  hypothesis-directed  diagnostic 
system  that  is  currently  in  working  model  form  at  Tufts  University,  Medford  campus 
(B.  J.  Kuipers). 
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section.  In  this  manner,  we  reviewed  the  transcript  and  were  able  to  characterize 
many  of  the  reasoning  processes  employed  by  tho  physician  subject. 

Validation  ot  the  model  ot  the  reasoning  process:  The  model's  completeness  and 
consistency  was  assessed  by  two  means,  its  ability  to  account  for  each  referring 
phrase  in  a  selection  of  the  transcript  and  its  ability  to  specify  a  computer  simulation 
of  the  decision  process. 

The  first  step  accomplished  in  the  specification  of  a  computer  simulation  of  the 
reasoning  process  was  to  encode  the  knowledge  employed  by  the  expert  physician 
in  making  his  decision.  Sections  of  the  transcript  containing  decision  making 
material  were  reviewed  and  the  knowledge  that  they  contained  was  translated  into  a 
rule  language.  The  basic  structure  of  the  language  is  the  rule,  which  acts  to  link 
antecedent  conditions  to  actions  based  on  the  rules  of  those  antecedent  conditions. 
The  rules  take  the  form  of 

IF  ANTECEDENT  CONDITIONS>  THEN  <ACTI0N>. 

The  process  was  completed  for  the  each  of  the  decisions  focused  on  by  the 
physician -subject.  The  next  step  in  the  simulation  process  is  described  below. 

Comparison  to  decision  analysis:  We  have  compared  the  decision  process 
employed  by  our  physician  subject  to  a  normative  model  of  decision  making  under 
uncertainty,  namely  decision  analysis.  We  found  the  reasoning  process  exhibited  in 
the  transcript  to  closely  resemble  the  conceptual  framework  of  decision  analysis  but 
to  employ  a  significantly  different  processing  algorithm.  Based  on  this  work,  we 
have  submitted  an  abstract  for  presentation  to  the  Society  for  Medical  Decision 
Making  at  its  sixth  annual  meeting  in  November  1984  [6]. 

Application  of  Results  to  the  Teaching  of  Clinical  Medicine:  The  research 
we  are  undertaking  as  part  of  this  effort  might  enhance  our  ability  to  teach  expertise 
to  clinicians  at  ail  levels.  In  a  recent  publication  [4]  we  reported  just  such  an  effort, 
based  on  the  principles  identified  in  descriptive  research  on  clinical  problem  solving. 
In  this  paper,  we  showed  that  clinical  medicine  can  be  taught  to  junior  and  senior 
medical  students  and  to  house  officers  by  a  method  that  follows  an  iterative, 
hypothesis  based  approach.  This  method  is  a  direct  derivative  of  earlier  research  of 
ours  and  others  on  human  problem  solving  and  on  clinical  problem  solving  in 
particular.  In  recent  years  this  prospective  hypothesis  based  method  also  has  been 
applied  to  postgraduate  education  at  the  annual  meeting  of  the  American  College  of 
Physicians. 

We  expect  that  the  efforts  of  this  research  will  produce  similar  insights  into 
decision  making  under  conditions  of  uncertainty,  in  particular  those  decisions 
requiring  tradeoffs  between  the  risks  and  benefits  of  tests  and  treatments.  We  also 
expect  that  these  insights  can  be  incorporated  into  the  teaching  of  clinical  medicine. 


CLINICAL  DECISION  MAKING 


2.2.  Completed  Work 

Transcript  Analysis:  Our  work  to  date  has  involved  an  extensive  analysis  of  the 
behavior  of  one  expert  physician  (pulmonologist)  making  management  decisions  for 
a  desperately  ill  patient  with  preleukeminia,  chest  pain,  fever  and  an  acute 
pulmonary  infiltrative  process.  The  problem  involves  choosing  between  empiric 
treatment,  no  treatment  and  employing  potentially  dangerous  testing  to  guide 
treatment.  The  uncertainty  in  etiology  of  the  underlying  disease  process,  the  high 
risk  associated  with  gathering  further  information  and  the  urgent  need  for  specific 
treatment  of  the  immunocompromised  patient  engenders  decision  making  with 
probabilistic  reasoning  and  employment  of  techniques  to  assess  multi-attribute 
utilities.  Research  in  transcript  analysis  proceeded  as  described  in  the  following 
sub  sections: 

Segmenting  the  transcript:  The  verbatim  transcript  was  first  segmented  into  lines 
and  paragraphs.  This  process  involved  breaking  up  sentences  so  that  only  one  or 
two  pieces  of  a  complex  concept  was  contained  on  a  line,  which  frequently  spread  a 
sentence  over  many  lines.  Paragraphs  were  delineated  as  coherent  chunks  of 
narrative.  Paragraph  breaks  were  inserted  with  each  change  of  topic  or  style  of 
reasoning.  This  particular  transcript  was  segmented  into  over  1100  lines.  The 
transcript  was  then  reviewed  to  identify  the  sections  that  contain  problem  solving 
material.  Subsequent  steps  in  the  analysis  deal  only  with  those  sections  that 
contained  problem  solving  material. 

Determining  the  conceptual  framework  of  the  reasoning  process:  Each  line  of  the 
transcript  was  examined  to  identify  the  domain  object  being  referenced.  These 
object  phrases  are  distinct  from  the  wording  used  to  refer  to  them. 

Each  object  phrase  was  then  categorized,  resulting  in  a  broad  list  of  elements  that 
the  expert  was  reasoning  about.  This  list  of  elements  was  then  grouped  and  further 
categorized  to  establish  a  list  of  conceptual  framework  elements. 

Determining  the  content  of  the  knowledge  being  used:  Each  line  of  the  transcript 
was  then  reviewed  to  identify  the  assertions  made  about  each  domain  object.  We 
assume  that  the  content  of  these  assertions  constitutes  at  least  some  of  the 
knowledge  employed  by  the  expert  physician. 

Characterizing  the  reasoning  process:  With  the  transcript  analyzed  in  terms  of 
domain  objects  and  relationships  among  domain  objects,  the  progress  of  the 
decision  process  was  analyzed.  The  reasoning  process  employed  in  a  specific 
problem  solving  section  was  then  matched  against  problem  solving  methods  derived 
from  research  in  Artificial  Intelligence  (Al).  When  a  specific  Al  method  was  seen  to 
fit  a  particular  section,  we  then  examined  other  sections  of  the  transcript  to 
determine  if  the  same  Al  method  characterized  the  reasoning  process  in  the  new 
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configurations.  Dr.  J.  Hoilenberg  has  implemented  a  small  prototype  artificial 
intelligence  program  that  can  help  its  user  to  define  new  decision  trees.  That 
program  represents  typical  decisions,  potential  outcomes,  and  probabilities  and 
utilities  in  a  narrow  domain  of  medicine,  and  applies  a  frame- instantiation  algorithm 
to  guide  the  user  through  the  process  of  decision-tree  construction.  Mr. 
M.  Wellman,  working  with  Prof.  P.  Szolovits  and  Dr.  Pauker,  has  been  studying  the 
development  of  multi-attribute  utility  models,  and  has  begun  the  design  and 
implementation  of  an  artificial  intelligence  program  that  will  assist  an  expert 
decision-analyst  in  the  construction  of  new  multi-attribute  utility  models. 

1.4.  Institutional  Arrangements  and  Plans 

As  in  the  past,  we  have  been  successful  in  integrating  a  complex  set  of  related  but 
distinct  research  efforts  at  three  separate  institutions.  This  has  proven  possible 
because  Prof.  Kuipers  (from  Tufts  University)  is  also  a  Visiting  Scientist  at  the  MIT 
Laboratory  for  Computer  Science,  because  Prof.  Szolovits,  Dr.  Long  and  Mr. 
Wellman  regularly  visit  Drs.  Pauker  and  Kassirer’s  laboratory  and  fellows,  and  Drs. 
Hoilenberg  and  Moskowitz  have  taken  courses  at  MIT  and  interacted  frequently  with 
other  members  of  the  Clinical  Decision  Making  Group. 

We  plan  to  continue  in  the  coming  year  with  very  similar  arrangements.  However, 
Prof.  Kuipers  will  join  the  MIT  Laboratory  for  Computer  Science  as  a  part  time 
Research  Associate,  leaving  his  position  at  Tufts  University.  He  will  also  share  an 
appointment  at  Tufts  University  Medical  School.  In  addition,  Dr.  Long  has  begun  to 
spend  more  time  at  Tufts/New  England  Medical  Center  because  we  have  obtained 
new  funding  for  a  project  in  the  management  of  Congestive  Heart  Failure,  the 
research  on  which  is  to  be  performed  in  collaboration  with  Dr.  Pauker  and  another 
group  of  physicians  at  Tufts/NEMCH.  Also,  Dr.  Robert  Kunstaetter  has  joined  the 
Clinical  Decision  Making  Group  at  MIT  as  a  Research  Assistant,  and  has  begun  to 
develop  a  collaborative  project  with  Dr.  G.  Octo  Barnett  of  the  Massachusetts 
General  Hospital,  wherein  we  plan  to  apply  the  explanation  methods  developed 
under  this  project  in  teaching  students  at  the  Harvard  Medical  School. 

2.  CRITICAL  DECISION  NODE  PROJECT 

2.1.  Objectives 

To  describe  the  knowledge  representations  and  problem-solving  methods 
employed  by  physicians  making  difficult  management  decisions,  involving 
considerable  risk  and  uncertainty.  To  investigate  the  nature  of  clinical  expertise  and 
to  characterize  the  development  of  probabilistic  reasoning  by  comparing  the 
knowledge  and  problem-solving  methods  used  across  experimental  subjects 
differing  substantially  in  expertise. 
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4)  Give  the  user  increased  control  over  the  system’s  internal  decisions  and 
conclusions. 

5)  Generalize  the  models  of  therapy  developed  in  our  Digitalis  Therapy 
Program  to  other  applications  areas. 

Work  during  the  past  year  in  this  subproject  has  had  two  foci:  First,  we  have 
previously  concluded  that  goals  1,  4  and  5  of  the  above  list  require  not  only  the 
creation  of  new  techniques  of  explanation  but  also  fundamentally- improved 
representations  of  the  knowledge  that  is  to  be  explained.  Therefore,  Dr.  W.  J.  Long 
has,  with  the  assistance  of  Mr.  T.  A.  Russ  and  Mr.  I.  Kohane,  developed  a  set  of  new 
knowledge  representations  and  reasoning  strategies  that  will  underlie  the  new 
explanation  capabilities.  This  work  has  been  carried  out  in  the  context  of  two  new 
larger  projects  that  derive  from  the  Digitalis  Therapy  program:  a  program  to  assist 
physicians  with  reasoning  about  congestive  heart  failure,  and  a  program  for 
management  of  ventricular  arrhythmias. 

Second,  Mr.  R.  A.  Granville  has  created  much  improved  methods  of  generating 
English  output  from  the  explanation  program,  exhibiting  conciseness  and  coherence 
of  text.  A  good  explanation  depends,  however,  not  only  on  stylistically  acceptable 
English.  One  particular  area  we  have  identified  as  crucial  to  further  improvements  is 
to  tailor  what  the  program  says  to  what  it  believes  the  user  already  understands  (part 
of  goal  3).  During  the  past  year,  Mr.  Granville  has  begun  to  develop  user  models  to 
help  decide  what  needs  to  be  stated  and  what  can  be  left  implicit. 

1.3.  Decision  Analysis  Tools  Project 

Our  group  has  had  many  years’  experience  in  developing  and  applying  the  formal 
methods  of  decision  analysis  to  a  large  variety  of  clinical  decision  tasks.  Within  the 
past  five  years,  the  widespread  availability  of  small,  inexpensive,  but  powerful 
computer  workstations  has  made  possible  the  widespread  dissemination  of  these 
methods  and  the  provision  of  necessary  computer  support  for  their  effective 
application.  The  further  problems  facing  the  use  of  this  method  are  partly 
pragmatic — the  cost  and  difficulty  of  use  of  the  hardware  and  software  support 
environment— and  partly  fundamental— the  difficulty  that  potential  users  without 
extensive  formal  decision-analytic  training  have  in  building  new  decision-models  for 
novel  clinical  problems. 

This  subproject  has  concentrated  (during  the  past  year)  on  both  the  pragmatic  and 
fundamental  aspects  of  the  problem.  Dr.  S.  G.  Pauker  and  his  colleagues  at 
Tufts/New  England  Medical  Center  have  improved  the  Decision  Maker  computer 
program,  adding  new  capabilities  for  cost-effectiveness  calculations  and  Markov 
modeling,  and  making  it  available  in  less  expensive  and  more  powerful 
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methods  of  decision  analysis  may  be  brought  to  bear.  (Indeed,  making  practical  the 
application  of  just  this  methodology  is  the  focus  of  our  Decision  Analysis  Tools 
project.)  Often,  however,  critical  decisions  involving  uncertain  outcomes  and 
imprecisely-understood  risks  must  be  made,  when  the  knowledge  required  by  our 
formal  techniques  is  simply  not  available. 

In  this  subproject,  we  have  turned  our  attention  to  a  formal  analysis  of  the 
decision-making  strategies  and  knowledge  of  human  experts  faced  with  just  such 
problems.  Our  goal  is  to  understand  what  these  experts  do  in  the  face  of  a  serious 
lack  of  hard  data,  and  to  develop  a  sufficient  understanding  of  their  successful 
strategies  that  we  may  develop  computational  methods  that  will  enable  future  AIM 
programs  to  use  similar  methods. 

Dr.  J.  P.  Kassirer  and  Dr.  A.  J.  Moskowitz  of  the  Tufts/New  England  Medical  Center 
and  Prof.  B.  J.  Kuipers  of  Tufts  University  have  collaborated  in  the  extensive  analysis 
of  the  patient  management  decisions  of  one  expert  physician  facing  a  very  seriously 
ill  patient.  To  do  this,  they  have  developed  a  formal  six-step  methodology  for  the 
analysis  of  verbal  protocols  taken  from  their  subject,  and  they  have  begun  to  apply 
the  methods  developed  therein  to  improve  the  teaching  of  medical  expertise  to 
clinicians  at  all  levels. 


1.2.  Explanation  and  Justification  Project 

An  innate  part  of  the  consultation  process  is  the  user’s  ability  to  explore  the 
reasoning  on  which  the  expert  bases  his  advice  and  to  argue  the  appropriateness  of 
the  data  and  assumptions  on  which  that  advice  is  based.  We  outline  five  research 
goals  that  would  move  the  AIM  field  toward  the  ability  to  build  programs  that  meet 
this  requirement: 

1)  Develop  and  implement  new  strategies  of  explanation  by  improving  the 
user's  access  to  the  program's  knowledge  of 

•  the  causal  and  temporal  relations  among  disease  states, 
pathophysiology,  observable  signs  and  symptoms,  and  drug 
pharmacokinetics,  and 

•  internal  decisions  made  by  the  program  in  the  course  of  its 
deliberations. 

2)  Test  the  utility  and  acceptability  of  explanation  strategies. 

3)  Develop  models  of  the  user's  present  knowledge  and  what  he  or  she 
wants  to  know. 
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1.  OVERVIEW  AND  SUMMARY 

Our  overall  objective  is  to  develop  improved  methods  of  computer-based  medical 
reasoning,  to  better  understand  the  reasoning  of  human  expert  clinicians,  to  develop 
means  for  better  explaining  the  knowledge  and  methods  of  the  computer  to  its 
potential  users,  and  to  improve  the  application  of  decision-analytic  reasoning  to 
clinical  problem-solving  tasks.  Each  of  these  objectives  matches  a  deficiency  in 
current  AIM  programs;  thus,  through  this  research  effort  we  seek  to  enhance  the 
related  capabilities  of  future  AIM  programs. 

This  project  consists  of  three  related  sub-projects,  focusing  on  the  following  goals: 

1)  To  study  and  elucidate  the  knowledge  representations  and  problem¬ 
solving  methods  employed  by  physicians  making  difficult  management 
decisions,  involving  considerable  risk  and  uncertainty. 

2)  To  develop  new  methods  that  allow  expert  programs  to  explain  and 
justify  their  conclusions  by  arguing  from  fundamental  medical  facts  and 
principles  and  reconstructing  the  path  by  which  those  bases  have  led  to 
the  program's  recommendations. 

3)  To  continue  development  and  enhancement  of  a  micro-computer-based 
decision-analysis  and  sensitivity  analysis  system  for  clinical  use  by 
physicians. 

A  summary  of  the  accomplishments  of  each  of  these  sub-projects  is  presented 
here,  and  a  more  thorough  discussion  of  each  sub  project  and  its  plans  for  the 
coming  year  follow  in  the  subsequent  three  sections. 


1.1.  Critical  Decision  Node  Project 

Throughout  the  past  decade  of  significant  progress  in  the  creation  of  artificial 
intelligence  programs  for  medical  applications,  the  study  of  how  human  expert 
medical  practitioners  make  clinical  decisions  has  played  a  major  role  in  suggesting 
the  methods  and  knowledge  representations  that  could  be  used  by  these  programs. 
Equally  important  is  the  fact  that  such  studies  also  help  to  make  explicit  just  what  the 
knowledge  of  these  expert  clinicians  is,  thus  helping  to  teach  their  skills  to  new 
generations  of  doctors. 

One  of  the  most  difficult  areas  of  medical  decision-making  is  that  where  decisions 
rest  on  a  complex  interplay  between  competing  risks  and  benefits.  If  all  known 
options  open  to  the  decision-maker  are  explicitly  known,  if  ail  possible 
consequences  of  each  decision  can  be  foreseen,  and  if  the  likelihoods  and  costs 
and  benefits  of  each  of  these  outcomes  can  be  assessed,  then  the  normative 
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representation  scheme  to  allow  more  convenient  representation  of  time  series 
processes  and  to  allow  the  convenient  performance  of  cost-  effectiveness  analyses. 
We  have  also  begun  to  rewrite  our  manual  and  develop  a  library  of  sample  analyses. 
The  original  versions  of  the  program  have  been  distributed  to  some  30  users  and 
groups. 

4.2.  Progress  Report 

The  work  accomplished  in  the  past  year  differs  slightly  from  what  we  originally 
expected.  First  our  target  machine  is  no  longer  the  Apple  III.  Since  that  time  the 
IBM  PC  and  IBM-XT  have  become  the  dominant  force  in  the  microcomputer 
marketplace.  We  have  therefore  chosen  these  machines  as  our  target.  Furthermore 
the  microcomputer  market  has  been  sufficiently  shaken  out  that  we  did  not  feel 
compelled  to  maintain  machine  independence  by  using  UCSD  Pascal.  Another  major 
reason  for  exploring  the  feasibility  of  abandoning  that  environment  is  because  its 
purchase  cost  ($600)  was  deemed  to  be  a  significant  obstacle  to  program 
distribution.  We  initially  had  difficulty  moving  to  other  Pascal  environments  because 
the  size  of  the  required  longest  path  object  code  overlay  exceed  one  machine 
segment  (64K).  We  have  recently  identified  two  languages  with  allow  use  of 
extended  RAM  and  were  therefore  feasible  programming  environments— IQLISP  and 
Turbo  Pascal,  version  2.0. 

The  Turbo  and  UCSD  Pascal  versions  are  nearly  identical.  The  advantage  of 
Turbo,  however,  is  its  use  of  full  RAM  (up  to  640K),  allowing  far  larger  trees 
structures  and,  more  importantly,  far  deeper  recursion  depths.  In  this  version,  we 
have  incorporated  a  form  of  cost-effectiveness  analysis  which  allows  the  use  of  dual 
utility  structures  with  an  average  of  only  15%  increase  in  processing  time  (compared 
to  a  100%  increase  under  more  standard  schemes).  The  concept  involves 
recognition  that  all  features  of  a  cost-effectiveness  tree  are  duplicated,  save  for  the 
second  utility  structure.  Rather  that  fold  the  tree  back  twice,  we  developed  a  new 
expression  processor  that  evaluates  and  expression  and  its  shadow,  or  alternate 
structure.  The  sum  of  probabilities  x  utilities  then  becomes  two  sums:  probability  x 
utility  1  and  probability  x  utility  2.  Thus  all  linking  of  tree  structure  and  probability 
evaluation  (70-80%  of  processing)  is  performed  only  once. 

We  have  also  dev  eloped  a  representation  for  Markov  processes  (submitted  for 
presentation  at  SMDM  meeting,  1984),  The  concept  is  that  a  Markov  node  is  an 
outcome  descriptor  (like  a  terminal  node)  but  is  a  more  complex  process  than  simple 
expression  (utility)  evaluation.  Each  utility  is  now  an  incremental  utility,  in  three 
flavors:  initial,  tail,  and  all  others.  Transition  probabilities  can  be  arbitrary  time 
dependent  expressions.  In  the  UCSD  and  Turbo  Pascal  versions,  the  number  of 
states  can  be  very  large  (over  100)  but  processing  is  quite  slow.  In  the  IQLISP 
version,  all  evaluations  are  compiled  into  BASIC  generated  object  code,  but  the 
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compiled  expressions  are  very  large.  Compilation  is  lengthy  (minutes  to  hours)  but 
running  time  is  very  fast.  The  number  of  states  possible  in  this  version  is  limited  to 
20-25. 

The  IQLISP  version  of  the  program  is  basically  a  compiler  that  does  symbolic  tree 
evaluation.  It  generates  large  expressions  that  are  analyzed  for  common  sub¬ 
expressions  and  are  then  passed  to  the  BASIC  compiler  for  object  code  generation. 
The  object  code  is  very  rapid  in  execution  and  includes  a  variety  of  advanced 
graphic  displays,  but  the  lengthy  compilation-and  test  cycle  makes  it  cumbersome 
for  tree  development  and  debugging. 

We  have  also  been  revising  our  manual.  Preliminary  distribution  of  an  earlier 
program  version  and  manual  has  pointed  out  many  inadequacies  in  that  manual. 
Clearly  the  additional  features  and  new  machine  environment  also  requires  that  a 
new  document  be  created. 

Because  the  grant  award  has  not  included  funds  for  evaluation  and  testing  of  the 
program,  we  have  not  been  developing  format  protocols  for  data  collection  by 
collaborating  users.  Nevertheless,  we  have  been  developing  broad  experience  from 
program  utilization  in  our  own  division  and  at  a  limited  array  of  other  user  sites. 


4.3.  Research  Plan 

In  the  next  year,  we  plan  to  complete  the  manual  and  to  develop  « further  array  or 
worked  examples  and  template  analyses,  including  Markov  and  cost-effectiveness 
techniques.  We  shall  also  continue  to  refine  the  IBM- PC  versions  of  the  program.  At 
this  point,  it  is  not  clear  whether  the  IQLISP  version  will  continue  to  be  feasible.  That 
language  environment  is  moderately  buggy  and  the  time  intensive  issue  of  symbolic 
compilation  is  difficult  to  manage.  We  shall  continue  to  work  in  a  compiled  object 
code  environment,  either  in  Turbo  Pascal  or  in  C  (Lattice  version).  We  shall  support 
processors  with  and  without  the  8087  coprocessor.  We  will  try  to  develop  a  set  of 
graphics  routines  (for  use  with  both  monochrome  and  color  graphics  display  boards) 
to  allow  more  natural  tree  display.  We  shall  also  explore  the  utility  of  using  color 
graphics  to  display  multiway  sensitivity  analyses  and  shall  try  to  support  a  standard 
four  or  six  color  plotter,  such  as  the  Hewlett-Packard  or  the  SweatPea.  We  are  also 
beginning  to  explored  to  feasibility  of  using  windowing  techniques  and  the  "mouse" 
as  an  input  device. 

At  this  time,  we  have  not  found  efficient  means  of  compiling  dual  utility  analyses 
(such  as  cost  effectiveness  analyses)  in  the  IQLISP  version.  We  shall  explore  these 
possibilities.  We  shall  also  continue  to  distribute  the  developing  program  to 
interested  collaborators  so  we  can  evaluate  its  utility. 
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1.  INTRODUCTION 

The  work  of  the  Computation  Structures  Group  concerns  new  concepts  of  the 
basic  structure  of  computer  systems,  and  therefore  addresses  issues  ranging  from 
hardware  design  methodology,  through  the  consistent  specification  of  machine 
architecture  and  user  language,  to  the  evaluation  of  applications  for  execution  on 
proposed  system  architectures.  Two  system  designs  are  currently  being  pursued: 
the  static  dataflow  architecture  for  large  scale  scientific  computation;  and  the  Vim 
Project  which  is  exploring  the  application  of  dataflow  principles  to  a  general  purpose 
system  architecture.  In  the  development  of  the  static  architecture,  progress  has 
been  made  in  the  architectural  design  of  a  practical  dataflow  processing  element,  in 
the  experimental  design  of  key  LSI  components,  in  performance  studies,  and  in  the 
techniques  of  program  transformation  essential  to  an  effective  compiler  for  Val  (the 
functional  programming  developed  by  the  group  for  use  with  dataflow  computers). 
Work  on  the  Vim  Project  has  centered  on  the  design  of  representations  for  the 
structured  data  types  of  VimVal  (the  user  language  for  Vim),  the  philosophy  of  type 
inference  and  type  checking  to  be  incorporated  in  Vim,  and  study  of  the  problems  of 
maintaining  data  integrity  through  automatic  backup.  The  group  is  also  working  on 
an  advanced  methodology  for  the  design  of  self-timed  logic  circuits  in  continuation 
of  its  previous  work  in  this  area. 

2.  DATA  FLOW  PROCESSING  ELEMENT 

The  principal  effort  of  the  Computation  Structures  Group  is  work  toward 
construction  of  a  demonstration  dataflow  machine  for  high  speed  numerical 
computations.  The  goal  is  to  demonstrate  a  machine  that  can  achieve  better  than 
100  megaflops  of  performance  in  executing  useful  programs  compiled  from  Val. 
The  work  is  guided  by  our  experience  in  the  analysis  of  benchmark  programs  in 
application  areas  from  weather  modeling  to  plasma  dynamics. 

The  design  problem  is  simplified  by  the  recent  availability  of  a  commercial,  high 
performance  floating  point  chip  set  comprising  a  multiplier  and  an  adder.  Because  of 
their  ability  to  pipeline  successive  operations,  they  are  well  suited  to  to  the 
construction  of  a  dataflow  processor. 

The  envisioned  machine  has  64  processing  elements,  each  built  around  a  pair  of 
floating  point  chips  and  capable  of  at  least  five  megaflops  of  performance.  We 
estimate  that  each  processing  element  will  hold  several  thousand  dataflow 
instructions  and  will  include  a  large  local  memory  for  holding  the  arrays  of  values 
that  make  up  the  database  of  an  application.  We  expect  the  machine  will  be  able  to 
achieve  its  full  potential  performance  of  320  megaflops  for  many  application  codes. 
Several  proposals  for  the  organization  of  the  processing  element  have  been 
developed.  These  are  being  compared  and  evaluated,  and  a  choice  of  one  design  for 
detailed  development  will  be  made  during  the  next  year. 
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3.  PROGRAM  TRANSFORMATION 

The  success  of  a  practical  dataflow  computer  for  high  performance  scientific 
computation  hinges  on  the  ability  of  a  compiler  to  produce  effective  dataflow 
programs  from  high  level  source  programs.  The  basic  problem  is  to  create  target 
program  structures  that  adapt  the  degree  of  parallelism  exposed  in  the  source 
program  to  the  storage  capacity  of  the  machine.  To  do  this,  the  compiler  must 
restructure  the  program  to  make  the  trade-off  between  time  (parallelism),  and  space 
(memory)  that  permits  full  utilization  of  the  machine.  The  Computation  Structures 
Group  is  exploring  two  avenues  toward  this  goal  --  a  general  approach  based  on 
program  transformations  that  apply  to  any  program  written  in  Val,  and  a  second 
approach  that  generates  a  pipe-structured  dataflow  program  for  any  of  a  certain 
class  of  Val  programs. 

In  his  recent  doctoral  thesis  [2],  William  Ackerman  studied  the  translation  and 
optimization  techniques  for  Val  programs  that  deal  with  arrays.  The  principal 
transformation  technique  proposed  for  achieving  high  execution  speed  on  a  static 
dataflow  computer  is  the  spatial  interleaving  of  arrays  and  the  unfolding  of  the 
iteration  loops  that  manipulate  them.  This  technique  allows  the  transformed 
program  to  be  distributed  over  many  processing  elements,  permitting  parallel 
operation  with  minimal  communication  among  the  parts.  This  technique  works  for 
the  loraii  expression  of  the  Val  language  as  well  as  the  normal  sequential  iteration 
loop,  and  it  works  for  nested  loops  and  multidimensional  arrays.  It  should  yield  good 
results  over  a  wide  range  of  machine  sizes  and  problem  sizes. 

Gao  Guang-Rong  has  studied  a  class  of  Val  programs  in  which  the  body  of  the 
program  consists  of  several  blocks  of  code  interconnected  without  cycles.  Each 
block  defines  one  or  more  array  values  in  terms  of  its  inputs,  and  has  the  form  of  an 
iteration  or  a  lorall  expression.  Gao  has  shown  that  such  programs  can  be 
transformed  algorithmically  into  dataflow  machine  code  in  which  the  data  is 
pipelined  through  the  instructions  at  the  maximum  rate  permitted  by  the 
architecture.  This  approach  permits  calculation  of  the  instruction  and  data  storage 
required,  and  therefore  the  right  choice  of  space  versus  time  may  be  made  to  utilize 
as  much  of  the  machine’s  capacity  as  possible.  The  method  used  to  construct 
pipelined  code  by  augmenting  dataflow  programs  with  buffering  is  treated  in  earlier 
work  by  Gao  [8]. 

Incorporating  these  techniques  into  a  practical  compiler  is  a  challenging  task.  Yet 
the  functional  (applicative)  nature  of  the  Val  programming  language  makes  the  task 
much  easier  than  would  be  the  case  for  a  more  conventional  language  such  as 
Fortran.  Construction  of  a  program  transforming  compiler  for  real-world  application 
programs  will  be  a  major  project  over  the  next  few  years. 
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4.  LOGIC  DESIGN  METHODOLOGY 

The  Group  has  contributed  to  the  study  of  asynchronous  design  of  digital  logic 
systems  for  many  years  [4],  and  specifically  to  design  techniques  based  on  self- 
timed  concepts  of  logic  design  [9],  At  one  time  it  appeared  that  seif-timed  techniques 
already  developed  might  be  competitive  in  the  context  of  VLSI  design  [9].  However, 
our  experimental  design  of  a  two-by-two  router  device  in  LSI  using  standard  self- 
timed  circuit  elements  showed  that  this  approach  is  far  from  achieving  competitive 
component  density. 

Tam-Anh  Chu  has  conceived  a  design  method  that  exploits  silicon  layout  and  self- 
timed  principles  together  to  achieve  designs  that  are  competitive  with  conventional 
techniques  [5].  The  methodology  uses  a  novel  system  organization.  In  contrast  to 
the  usual  data-path/controller  partition  of  synchronous  systems,  a  system  is 
organized  into  data-path,  state-machines,  and  distributed  control  structures.  Self- 
timed  data  path  circuits  are  built  using  logic  gates,  pass-transistors,  and  matched 
timing  delays.  Such  an  approach  yields  layouts  of  almost  the  same  area  as  for 
synchronous  construction,  and  is  possible  because  in  VLSI  systems,  delays  of  data¬ 
path  components  can  be  easily  matched  by  using  identical  geometry.  Also,  data¬ 
path  components  have  their  own  controllers  for  inter-module  timing  synchronization. 
State-machines  and  distributed  control  structures  are  used  together  to  form  the 
control  part  of  the  system.  State-machines  test  predicates  only  to  guide  control  flow 
in  the  distributed  control,  and  are  simple  and  fast. 

A  self  timed  router  chip  [6]  has  been  designed  using  this  approach.  The  router  is  a 
packet  switching  device  with  two  input  and  two  output  ports.  It  decodes  address  bits 
of  byte-serial  input  packets  and  routes  them  to  designated  output  ports  by  setting  up 
and  maintaining  a  link  between  ports  throughout  the  duration  of  a  packet 
transmission.  Packets  going  to  different  output  ports  can  be  processed 
concurrently,  and  any  contention  for  output  ports  is  resolved  using  arbiters. 

The  methodology  uses  a  graph  model  called  the  Signal  Transition  Graph  for  the 
direct  synthesis  of  self  timed  circuits.  A  Signal  Transition  Graph  is  a  directed  graph 
where  vertices  represent  signal -transitions  at  circuit  nodes,  and  arcs  specify  static 
and  dynamic  relationships  between  pairs  of  transitions.  Additional  constraints  are 
included  in  the  graph  to  permit  determination  of  the  circuit  (an  interconnection  of 
components),  and  the  logic  functions  of  the  components.  Two  self-timed  chips  have 
been  successfully  designed  using  this  graph  model  -■  a  router  chip  and  a  ring  buffer 
chip. 
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5.  INTEGRATED  CIRCUIT  DESIGN  AND  FABRICATION 

Since  the  use  of  custom  integrated  circuit  devices  is  essential  to  achieving 
competitive  performance  in  a  dataflow  processor,  we  have  developed  several 
experimental  chips  using  CAD  tools  available  at  MIT.  and  the  DARPA  MOSIS 
fabrication  service.  The  devices  chosen  for  experiment  reflect  key  requirements  in 
the  construction  of  practical  dataflow  computers.  One  is  the  two  by  two  router 
which  is  a  building  block  for  pocket  switched  routing  networks.  The  second  is  a 
simple  dataflow  processing  element  with  8  bit  data  words  that  has  given  us 
experience  in  implementing  all  the  essential  mechanisms  of  a  full-scale  dataflow 
processor. 

T!'io  first  device  constructed  [5]  was  a  scaled  down  router  with  a  two-bit  data  path. 
It  was  fabricated  in  1983  using  a  5 -micron  NMOS  process.  We  have  obtained  eight 
chips  from  MOSIS.  all  of  which  were  found  to  be  fully  operational  at  the  relatively 
slow  rate  of  around  0.7MHz.  This  router  was  designed  using  self  timed  circuits  with 
extremely  conservative  expectation  of  process  variations.  Dual-rail  coding  was  used 
in  the  data  path  and  control  circuits  to  ensure  fully  speed  independent  operation  of 
all  components.  Also,  a  substantial  amount  of  circuitry  was  included  for  test 
purposes,  and  this  partly  degraded  the  performance  of  ttie  router.  In  retrospect,  this 
project  was  successful  in  that  it  allowed  verification  of  the  design  approach  and 
produced  valuable  feedback. 

Our  experience  with  this  design  inspired  development  of  the  new  design 
methodology  described  above.  Application  of  the  methodology  to  the  two-by-two 
router  yielded  a  device  [6]  with  a  full  9  bit  data  path  and  buffer  storage  for  eight 
bytes  at  each  input  port.  It  has  been  fabricated  through  MOSIS  using  a  3  micron 
CMOS  process,  and  its  speed  is  estimated  to  be  5MHz.  In  this  version,  control 
circuits  are  speed  independent  and  data  path  components  are  timed  by  means  of 
matched  delays.  All  modules  are  designed  so  that  times  for  the  reset  ptiase  of  the 
four  cycle  signaling  protocol  are  reduced  to  a  minimum,  yielding  a  significant  overall 
speed  improvement.  The  layout  of  the  data  path  in  this  circuit  is  similar  to  a 
synchronous  one.  We  believe  the  layout  of  the  control  is  superior  to  that  of  the 
synchronous  design,  as  the  distributed  control  structures  uses  less  circuitry  than  a 
central  controller,  and  they  may  be  laid  out  to  the  same  pitch  as  the  data  path. 

The  simple  dataflow  processing  element  was  an  exploratory  design  developed  as  a 
course  project  in  1983.  It  has  been  redesigned  and  submitted  to  MOSIS  for 
fabneation.  This  chip  was  implemented  in  bulk  CMOS  with  3  micron  features.  When 
combined  with  a  commercial  2K  by  8  RAM  chip  it  forms  a  simple  processing  element 
that  can  handle  the  sequencing  of  64  dataflow  instructions.  Most  of  the  chip  area  is 
occupied  by  an  eight  bit  arithmetic-logic  unit/register  array,  and  several  PLA 
structures  that  implement  the  control  functions.  The  unique  element  is  a  6*4  bit 
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enable  memory  having  an  integral  priority  encoder  that  implements  the  dataflow 
instruction  sequencing  rules.  In  a  full-scale  dataflow  processor,  the  size  of  the 
enable  memory  will  require  that  it  be  fabricated  as  one  or  more  dedicated  chips. 
Such  a  specialized  device  will  be  the  next  candidate  for  experimental  design. 

6.  PERFORMANCE  STUDIES 

Being  very  different  from  conventional  computer  systems,  dataflow  computers 
require  new  approaches  to  performance  evaluation.  One  important  aspect  is  the 
manner  in  which  the  instructions  of  a  dataflow  program  are  assigned  to  the 
processing  elements  of  the  machine  so  that  full  performance  may  be  achieved.  This 
aspect  is  addressed  primarily  as  a  problem  of  program  structure,  and  compiler 
analysis  and  transformation  of  programs.  The  other  aspect  of  performance  of  the 
static  dataflow  multiprocessor  is  the  manner  in  which  the  load  placed  on  the  routing 
network  by  the  processing  elements  interacts  with  the  protocol  of  the  routers  to 
determine  the  rate  at  which  data  flows  among  the  processing  elements. 

In  most  of  our  work  we  have  focused  on  the  packet  routing  network  as  an 
independent  subsystem.  In  his  doctoral  thesis  [3]  G.  Andrew  Boughton  examines  the 
design  of  high  throughput  packet  switched  networks  for  interconnecting  the 
modules  of  a  large  digital  system  such  as  the  processing  elements  of  a  dataflow 
computer.  The  design  of  such  networks  is  studied  under  two  different  sets  of 
assumptions  about  the  implementation  technology.  The  first  set  corresponds 
roughly  to  present  technology  where  only  a  small  number  of  network  nodes  can  be 
placed  on  a  single  integrated  circuit  chip.  The  second  set  corresponds  to  future 
VLSI  technology  where  a  large  number  of  network  nodes  can  be  placed  on  a  single 
chip. 

Under  the  first  set  of  assumptions,  network  structures  based  on  the  indirect  n  cube 
topology  are  studied  to  determine  the  factors  limiting  the  performance  of  very  large 
networks.  For  this  purpose  the  load  on  the  network  is  assumed  to  be  generated  by 
independent  packet  sources  at  each  input  port  with  uniformly  distributed  packet 
destinations.  For  such  sources,  the  strongest  constraint  examined  still  allows  the 
throughput  of  the  network  to  grow  linearly  with  the  number  of  network  inputs. 
However,  we  show  that  conditions  can  arise  in  the  operation  of  moderately  large 
networks  (around  a  thousand  inputs)  such  that  some  network  inputs  accept  packets 
at  less  than  half  the  average  input  rate  for  a  long  period  of  time.  The  design  of 
nutworks  where  the  sources  generate  a  nonuniform  distribution  of  packet 
destinations  is  examined  briefly. 

For  network  implementations  where  many  nodes  are  built  into  a  VLSI  chip,  we 
derive  a  minimum  wire  cost  proportional  to  the  square  of  the  number  of  network 
infants,  shown  for  networks  capable  of  high  performance  for  certain  uniform  patterns 
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3.2.  Packet  Trams  for  Network  Workload  Modeling 

For  network  modeling  and  simulation,  it  is  essentia!  to  know  the  right  model  for 
packet  arrivals.  The  traffic  measurements  on  the  LCS  token  ring  show  that  the 
packet  arrivals  do  not  follow  the  commonly  used  model  of  Poisson  arrivals  which 
assumes  that  packets  arrive  independently  and  that  the  arrival  of  a  packet  gives  no 
clue  about  future  arrivals.  A  more  realistic  model  called  packet  trams  has  been 
proposed  by  Raj  Jain,  in  which  all  packets  of  a  file  transfer  form  a  train.  The  inter¬ 
packet  interval  between  successive  packets  of  a  train  has  a  distribution  very  different 
from  inter  train  interval.  The  former  is  a  characteristic  of  the  higher-level  protocols 
and  system  configurations  while  the  later  depends  solely  on  user  behavior.  After  the 
arrival  of  a  locomotive  (the  first  packet)  of  a  train  subsequent  packet  arrivals  can  be 
predicted  with  very  little  variance.  Protocols  that  exploit  this  dependence  of  packet 
arrivals,  e.g..  reservation  sharing,  can  be  designed  to  use  resources  more  efficiently 
than  current  ones  which  are  optimized  for  random  Poisson  traffic. 

3.3.  High-bandwidth  Residential  Networks 

A  second  network  technology  effort  is  just  beginning  this  year:  exploring  the  use 
of  commercial  cable  television  systems  as  a  high-bandwidth  local  network 
technology  that  can  reach  the  home.  The  primary  progress  on  this  topic  has  been  to 
develop,  in  concept,  techniques  that  can  deal  with  the  analog  environment  of  the 
typical  CATV  system.  It  now  appears  that  a  promising  approach  is  the  use  of  spread- 
spectrum  modulation  techniques,  for  four  reasons.  First,  spread  spectrum  provides 
compatibility  with  miscellaneous  services  already  in  place  on  the  same  cable. 
Second,  the  anti  jamming  properties  of  spread-spectium  modulation  provide  a 
counter-measure  to  deal  with  extreme  interference  from  short  wave  broadcasts  in 
the  frequency  bands  available  for  two-way  data  communications.  A  third  property, 
that  spread-spectrum  signals  are  well  hidden  from  non  spread  spectrum  receivers, 
may  also  be  useful  in  allowing  data  signals  to  use  radio  frequencies  on  the  cable  that 
have  been  set  aside  to  protect  nearby  aircraft  communications.  Finally,  the  spread- 
spectrum  code  division  multiple  access  technique  may  be  an  effective  alternative  to 
carrier-sense  or  token-passing  as  a  channel  access  control  technique.  The 
theoretical  properties  of  spread-spectrum  modulation  for  this  application  all  are 
sufficiently  promising  that  it  is  time  to  begin  a  more  detailed  study,  perhaps 
undertaking  a  modem  design  in  the  coming  year. 
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review,  the  proNET  ring  is  a  commercial  version  of  a  10  Mbit/sec  token  ring  local 
area  network  designed  by  this  research  group  and  reported  in  detail  in  previous 
reports.  Its  primary  innovative  feature  is  a  star  shaped  topology  with  a  passive 
wiring  center  intended  to  make  maintenance  easy  and  availability  very  high.  The 
LCS  installation  currently  covers  three  floors  of  the  building  using  four 
interconnected  wire  centers.  Although  the  installation  is  mostly  done  with  twisted 
pair,  there  is  one  experimental  fiber  optic  section.  There  are  30  Vax  11/750  and 
11/780  computers,  five  LSI-1 1  's,  a  Bridge  CS/1,  and  3  IBM  PC's  connected  to  the 
ring.  The  Bridge  CS/1  and  several  of  the  LSMI's  act  as  gateways  to  other  local 
area  networks,  chiefly  an  experimental  (3  Mbit/sec)  Ethernet,  a  standard  Ethernet, 
the  ARPANET,  and  a  serial-line  network. 

Preliminary  observations  of  the  monitoring  station  appear  in  a  Master's  thesis  by 
Feldmeier,  also  available  as  an  LCS  Technical  Memorandum.  Some  of  the  more 
interesting  results  are  the  following: 

•  Packet  traffic  is  between  1  and  2  million  packets/day.  The  ring  is  thus  in 
production  use,  a  vital  link  in  the  Laboratory's  resources. 

•  Load  distribution  is  very  similar  to  that  reported  by  Shoch  and  Hupp  at 
Xerox,  with  the  difference  that  the  individual  nodes  at  MIT  seem  to 
generate  about  three  times  as  many  bits/second/node.  Two  possible 
explanations  of  this  more  intense  traffic  are  that  the  MIT  site  has  more 
remote  paging,  and  that  the  Vax  11/750  computers  are  more  powerful 
than  the  Xerox  Alto,  so  they  can  make  more  frequent  demands  on  the 
network. 

•  Internetwork  traffic  is  some  40%  of  the  total  traffic  on  the  ring.  This 
large  number  may  have  important  implications  for  gateway  design  and 
generally  for  internet  plans,  although  it  is  hard  to  tell  whether  it  would  be 
similar  in  other  environments  with  less  diverse  communications 
facilities. 

•  The  distribution  of  packet  interarrival  times  is  decidedly  non-Poisson: 
shorter  interarrival  intervals  have  much  greater  than  Poisson 
probabilities.  This  observation  has  led  Raj  Jain  to  explore  a  network 
packet  arrival  model  called  "packet  trains"  reported  below. 

•  "Network  unavailable  time,"  which  accumulates  whenever  a  token  is 
continuously  absent  for  more  than  one  second,  averages  5  to  10 
seconds  per  24-hour  day.  Since  all  reconfiguration  and  repair  of  the 
network  at  LCS  is  done  without  turning  off  the  network  or  the  monitor, 
this  small  number  suggests  that  the  star  configuration  is  extraordinarily 
effective  in  providing  high  availability. 
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4)  Implement  discretionary  or  non-discretionary  controls  in  the  accessible 
internal  resources  as  needed. 

In  summary,  the  gateway  authenticates,  labels,  and  maintains  information  on 
category  sets  while  most  of  the  rest  of  the  world  can  go  on  unchanged. 

2.3.  Experimental  Implementations 

We  have  implemented  two  components  of  a  mail-relay  gateway  suitable  for  inter¬ 
organization  connections. 

Don  Gillies  implemented  a  secure  mail  relay  on  an  IBM  Personal  Computer  as  an 
undergraduate  thesis  project.  The  mail  relay  was  inspired  by  the  needs  of  the 
Laboratory  for  Computer  Science  Headquarters,  which  had  a  new  office  automation 
program  for  their  Unix  system.  They  wanted  to  connect  to  the  rest  of  the  MIT 
computer  network,  but  also  wanted  to  protect  their  sensitive  research  accounting 
data.  The  same  basic  software  design  should  b-  usable  in  the  planned  MIT  to-IBM 
mail  relay  connection. 

The  mail  relay  is  built  on  top  of  the  CSC  Group's  PC/IP  protocol  implementation 
for  the  IBM  PC.  It  contains  a  new  a  multi-connection  TCP.  user  and  server  SMTP, 
and  a  reliable  spooling  program.  It  also  has  security  mechanisms  that  leave  audit 
trails,  that  detect  unusually  heavy  mail  traffic,  that  halt  messages  with  suspicious 
ascii  characters,  and  that  record  attempts  to  speak  unauthorized  protocols  through 
the  relay.  The  full  design  is  explained  in  the  thesis. 

The  second  component  (also  implemented  by  Gillies)  is  mail-filtering  software 
tunning  on  a  Vax.  This  facility  can  be  tailored  to  implement  higher-level  policies 
(e.g.,  no  transit)  for  mail  traffic  that  enters  the  network  via  the  gateway. 

By  connecting  the  mail  relay  to  an  internal  local  area  network  on  one  side,  and  a 
telephone  line  on  the  other,  we  can  implement  a  controlled,  inter-organization,  mail 
network.  All  messages  that  arrive  over  the  telephone  line  can  be  sent  to  the  Vax  for 
higher-level  filtering.  In  addition,  we  can  use  a  link-level  protocol  that  authenticates 
the  origin  of  packets  that  arrive  over  the  telephone  line. 


3.  LOCAL  AREA  NETWORK  TECHNOLOGY 

3.1.  Ring  Network  Monitoring  Results 

The  primary  progress  this  year  on  the  ring  network  research  project  was  bringing 
into  service  of  a  ring  network  monitoring  station,  built  by  David  Feldmeier,  and  the 
beginning  of  systematic  collection  of  data  on  the  proNET  token  ring  network.  In 
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2)  The  administration  of  most  internal  networks  is  intentionally 
decentralized.  Consequently,  it  is  very  difficult  to  assure  conformance 
with  new  policies  such  as  tight  controls  on  accessibility  of  internal 
resources  to  outsiders. 

3)  Internal  networks  grow  incrementally  by  adding  connections  to  other 
internal  networks  as  well  as  single  machines.  It  is  hard  to  check  if  such 
additions  introduce  resources  into  the  internal  network  that  do  not 
conform  to  network  wide  policy. 

4)  In  order  for  users  to  enforce  a  security  policy  they  must  be  educated  as 
to  its  purpose  and  operation.  Educating  all  users  of  a  decentralized 
network  is  hard  to  accomplish  once,  let  alone  every  time  an  external  link 
is  established. 

These  conditions  suggest  the  use  of  non-discretionary  access  controls  to  isolate 
strictly-internal  resources  without  relying  on  the  discretion  or  explicit  action  of 
strictly  internal  resource  owners. 

However,  the  controls  needed  differ  from  traditional  non  discretionary  controls  in 
two  important  ways: 

1) We  want  to  control  invocation  of  strictly-internal  computer-based 
resources.  Most  of  the  literature  on  non-discretionary  controls  is 
concerned  with  control  of  information  flow  only. 

2)  We  want  to  protect  the  owner  of  the  service  being  invoked.  Most  of  the 
literature  that  does  concern  non-discretionary  controls  on  invocation  is 
concerned  with  protecting  the  integrity  of  the  invoker  only. 

Despite  these  differences,  it  seems  that  with  a  few  modifications,  the  traditional 
non-discretionary  control  policies  can  be  used  in  this  environment: 

1)  Define  special  network  entry  points  (gateways). 

2)  Implement  non-discretionary  invocation  controls  on  incoming  traffic  in 
the  gateway(s)  using  category  sets  and  the  following  Intersect  rule:  user 
A  can  invoke  resource  B  if  and  only  if  {C}a  Intersect  {C)b  is  not  equal  to 
0- 

3)  Include  authorized  outsiders  in  the  category  sets  of  internal  resources 
that  the  organization  wants  to  make  accessible  to  outsiders.  Assign  a 
null-set  category  set  to  resources  that  are  to  remain  strictly  internal,  so 
that  no  one  will  be  able  to  access  them  via  the  gateway  (internal  users 
can  still  get  to  them  since  they  do  not  do  so  via  the  gateway). 
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The  model  is  being  tested  in  one  domain,  industrial  and  academic  research  and 
development  laboratories. 


2.2.  Security  Requirements  and  Technical  Mechanisms  for  Inter- 
Organization  Networks 

These  interconnections  raise  new  and  interesting  security  requirements.  Unlike 
traditional  security  requirements,  the  goal  is  not  to  prohibit  access  by  outsiders; 
some  outside  access  is  explicitly  desired.  However,  because  potential  users  are 
outside  the  boundaries  of  the  organization,  they  should  not  be  treated  as  insiders 
and  the  potential  damage  of  undesired  access  is  high. 

Beefing  up  security  on  all  internal  systems/resources  is  not  an  attractive,  nor 
feasible,  approach.  The  set  of  resources  that  an  organization  wants  to  make 
accessible  is  significantly  smaller  than  the  set  that  it  wants  to  remain  strictly  internal. 
Therefore,  these  strictly-internal  resources  should  not  be  required  to  take  action  in 
order  to  be  protected  from  external  access.  Such  a  requirement  is  inappropriate  for 
several  reasons: 

1)  Typically,  the  purpose  of  an  internal  network  is  to  facilitate 
communication  and  resource  sharing.  Increased  internal  usage 
controls  that  arc  tailored  to  restrict  outsiders  may  interfere  with  this 
objective. 
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1.  INTRODUCTION 

Rearrangements  of  Computer  Systems  Group  boundaries  occurred  in  1983-84, 
with  the  result  that  the  area  reported  under  this  title  is  substantially  smaller  than  in 
past  years.  The  research  projects  of  the  group  now  fall  in  three  categories:  inter¬ 
organization  networks,  local  area  network  technology,  and  network  services.  The 
next  sections  describe  these  three  areas  in  turn. 

2.  INTER-ORGANIZATION  NETWORKS 

During  the  past  year  Deborah  Estrin  continued  her  doctoral  research  on  the 
interconnection  of  computer  networks  across  organization  boundaries.  This 
interdisciplinary  research  encompasses  both  effects  on  organizations  and  new 
technical  requirements. 

2.1.  Impact  on  Inter-organization  Relationships 

When  two  or  more  distinct  organizations  interconnect  their  internal  computer 
networks  to  facilitate  information  and  resource  exchange,  they  form  an  Inter- 
Organization  Network  (ION).  Ms.  Estrin  has  developed  a  model  of  how  lONs  impact 
organizations  and  inter-organization  relationships.  For  a  given  domain,  the  model 
predicts  whether  lONs  favor  vertical  integration  or  de-integration  (e.g.,  make  or  buy, 
internal  development  or  joint  ventures),  and  market  concentration  or  competition,  for 
example. 

Inter-Organization  Networks  are  a  new  type  of  transaction  mechanism  that  support 
new  communication  and  interchange  patterns  among  organizations.  The  new 
interchange  patterns  in  turn  support  new  governance  structures.  Greater  intensity 
and  scope  allow  more  activities  to  be  carried  out  efficiently  across  the  organization 
boundary  (i.e.,  in  the  market);  in  addition,  interchange  can  be  managed  efficiently 
with  a  larger  set  of  organizations  (i.e.,  a  larger  <  'tual  market).  However,  increased 
penetration  and  idiosyncrasy  of  interchange  may  lead  organizations  to  adopt  more 
formal  governance  structures  (e.g.,  contracts)  and  preclude  interchange  with  an 
expanded  number  of  market  members.  The  outcome  of  these  antagonistic  factors 
depends  upon  factors  exogenous  to  the  ION:  the  production  cost  advantage  of 
carrying  out  an  activity  in  the  market  as  opposed  to  internally  within  the  firm;  and  the 
level  of  decision  making  attention  applied  to  the  interconnection.  The  model  is 
described  in  the  figure  below. 
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Theses  Completed 

1.  Ackerman.  W.B.  "Efficient  Implementation  of  Applicative  Languages," 
Ph  D.  dissertation.  MIT  Department  of  Electrical  Engineering  and 
Computer  Science,  Cambridge,  MA,  April  1984. 

2.  Kuszmaul,  B.  "Type-checking  in  VIM-VAL,"  S  B.  thesis,  MIT  Department 
of  Electrical  Engineering  and  Computer  Science,  Cambridge.  MA,  May 
1984. 

3.  Brock,  J.  D.  "Formal  Model  of  Non-determinate  Data  Flow 
Computation,"  Ph.D.  dissertation,  MIT  Department  of  Electrical 
Engineering  and  Computer  Science,  Cambridge,  MA,  August  1983. 

Theses  in  Progress 

1.  Boughton,  G.A.  "Routing  Networks  for  Packet  Communication 
Systems,"  Ph.D.  dissertation,  MIT  Department  of  Electrical  Engineering 
and  Computer  Science,  Cambridge,  MA,  expected  September  1984. 

2.  Chu,  T  A.  "A  Design  Methodology  for  Self-timed  VLSI  Systems,"  Ph.D. 
dissertation,  MIT  Department  of  Electrical  Engineering  and  Computer 
Science,  Cambridge,  MA,  expected  June  1986. 

3.  Gao,  G-R.  "A  Pipelined  Code  Mapping  Scheme  for  Static  Data  Flow 
Computers,"  Ph.d.  dissertation,  MIT  Department  of  Electrical 
Engineering  and  Computer  Science,  Cambridge,  MA,  expected 
December  1985. 

4.  Guharoy,  B.  "Memory  Management  in  a  Static  Data  Flow  Computer 
System,"  S.M.  thesis,  MIT  Department  of  Electrical  Engineering  and 
Computer  Science,  Cambridge,  MA,  expected  May  1985. 

5.  Jaganathan,  S.  "Guaranteeing  Data  Security  in  a  Dynamic  Data  Flow 
Machine,"  S.M.  thesis,  MIT  Department  of  Electrical  Engineering  and 
Computer  Science,  Cambridge,  MA,  expected  January  1985. 
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A  program  in  VimVal  can  be  translated  into  a  dataflow  graph  and  the  local 
constraints  the  program  places  on  the  types  of  its  expressions  can  be  described  in 
terms  of  the  class  of  regular  sets  which  satisfy  an  operator’s  type  requirements. 
Type  correctness  can  be  defined  in  terms  of  the  number  of  regular  sets  which  satisfy 
every  operator's  type  requirements:  a  program  is  type  correct  if  there  is  exactly  one 
regular  set  satisfying  all  the  type  requirements  of  all  the  operators  in  a  program. 
Type  correctness  is  well  defined  in  terms  of  mathematical  set  operations.  Type 
correctness  has  been  shown  to  be  decidable,  and  an  efficient  type  checking 
algorithm  for  VimVal  has  been  developed  on  the  basis  of  this  theory. 

10.  BACKUP  AND  RECOVERY  ISSUES  IN  VIM 

We  wish  to  provide  a  backup  and  recovery  system  for  Vim  that  will  guarantee  the 
security  of  all  online  data.  We  envision  ‘hat  incremental  backup  information  will  be 
maintained  on  some  stable  storage  device  -  stable  disk  •-  with  older  backup 
information  being  held  on  tape  storage.  The  objective  is  that,  following  loss  of  data 
due  to  hardware  failure,  full  recovery  of  the  system  to  the  situation  prevailing  just 
prior  to  the  fault  is  possible.  That  is,  users  will  be  able  to  continue  as  if  no  fault  had 
occurred  except  for  the  loss  of  a  few  characters  from  terminal  input/output  buffers. 

An  interesting  approach  is  made  possible  by  the  applicative  nature  of  the  VimVal 
language:  since  reexecution  of  any  procedure  that  is  a  function  is  guaranteed  to 
produce  the  same  results,  even  in  the  presence  of  arbitrary  concurrent 
computations,  it  is  not  necessary  to  back  up  intermediate  states  of  function 
evaluation;  only  the  arguments  of  the  invocation  need  be  saved.  This  concept 
becomes  more  intricate  as  one  considers  data  structures  and  stream-oriented 
computation.  Of  course,  guardians,  the  mechanism  provided  in  Vim  for  implementing 
nondeterminate  computations,  must  be  treated  carefully.  These  issues  are  the 
subject  of  master's  thesis  research  in  progress  by  Suresh  Jaganathan. 
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Therefore  we  are  examining  the  issues  involved  in  implementing  a  paging 
mechanism  for  Vim  with  a  small  page  size.  The  unit  of  transfer  between  the  main 
store  and  the  disk  is  called  a  chunk  and  its  size  has  been  set  at  32  words  for  our 
present  experimental  design. 

Bhaskar  Guharoy  has  designed  representations  for  the  principal  structured  data 
types  of  Vim  ••  arrays  and  records  •-  to  permit  efficient  operation  of  the  storage 
management  system.  A  large  array  or  nested  record  structure  is  represented  as  a 
tree  of  chunks.  In  this  representation,  data  structures  may  share  common 
substructures,  and  the  basic  operations  of  accessing  an  element  or  creating  an 
altered  version  of  a  structure  can  be  done  in  log(n)  steps  for  a  structure  of  n 
elements.  Furthermore,  a  full  (modified)  copy  of  a  data  structure  may  be  made  in 
log(n)  time. 

The  design  of  VimVal  and  its  implementation  is  such  that  circular  structures  are 
never  created  during  system  operation.  This  acyclic  property  of  the  data  structures 
permits  use  of  a  reference-count  based  storage  reclamation  mechanism. 

9.  THE  VIM  TYPE  SYSTEM 

A  type  system  has  been  developed  for  the  revised  version  of  the  Val  programming 
language  (VimVal)  in  a  bachelor's  thesis  completed  by  Bradley  Kuszmaul.  The  type 
system  is  designed  so  that  users  of  VimVal  may  omit  type  declarations  from  their 
programs  whenever  the  typo  of  an  expression  can  be  determined  by  the  compiler. 
The  system  combines  several  ideas  that  have  been  found  to  be  worthwhile  in 
advanced  language  designs.  To  start  with.  VimVal  includes  higher  order  functions, 
that  is.  functions  are  "first  class  objects"  and  may  be  passed  as  values  and  built  into 
data  structures.  The  type  system  allows  programs  to  be  wiitten  with  incomplete  type 
specifications,  and  the  type  checker  infers  the  types  of  expressions  from  their 
context.  The  types  of  some  expressions  may  remain  undetermined  even  after 
program  compilation.  This  allows  the  binding  of  types  to  be  deferred  until  the  module 
is  linked  to  other  modules  to  create  an  executable  program.  At  that  point  all  types 
must  be  determined,  for  we  wish  to  exclude  the  possibility  of  discovery  of  type  errors 
during  program  execution.  This  aspect  of  the  type  system  allows  program  modules 
to  be  "polymorphic"  -•  a  module  may  perform  analogous  operations  on  different 
types,  according  to  the  modules  linked  to  it. 

The  thesis  develops  a  theory  of  types  which  applies  to  a  large  class  of 
programming  languages,  including  VimVal.  The  notion  of  type  is  defined  in  terms  of 
regular  sets,  which  describe  sequences  of  legal  operations  on  a  value  of  a  given 
type.  Recursive  types  allow  infinite  sequences  of  legal  operations,  so  the  definition 
of  types  allows  infinitely  long  sequences  to  be  elements  of  the  regular  sets 
describing  a  type. 
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of  communication.  Networks  are  presented  that  come  close  to  supporting  the 
desired  level  of  performance  using  the  specified  amount  of  wire.  Networks  for  other 
patterns  of  communication  are  also  briefly  discussed. 

Research  is  beginning  on  how  the  routing  network  influences  performance  of  the 
static  dataflow  machine.  The  effects  of  packet  traffic  flow  patterns  generated  by  the 
program  workload  on  the  throughput  of  the  routing  network  (as  well  as  the  rest  of 
the  machine)  are  being  examined.  From  the  results  of  this  analysis,  possible 
methods  for  improving  the  performance  of  the  routing  network  are  being  considered. 
Initially,  the  structure  of  the  routing  network  is  being  restricted  to  the  indirect  binary 
n-cube,  and  the  program  workload  is  being  restricted  to  the  class  of  pipe-structured 
programs. 

7.  GENERAL  PURPOSE  DATA  FLOW  COMPUTING:  THE  VIM 
PROJECT 

The  Computation  Structures  Group  is  developing  an  experimental  advanced 
general  purpose  computing  system  based  on  the  principles  of  dataflow  computation 
and  functional  programming  and  using  the  model  of  computation  proposed  by 
Dennis  [7],  The  prototype  for  such  a  system  is  the  Val  Interpretive  Machine  or  Vim. 
The  high-level  functional  programming  language  chosen  for  this  project  is  VimVal,  a 
revision  and  extension  of  Val  [1],  Our  current  work  on  Vim  covers  three  areas:  the 
development  of  a  comprehensive  memory  system  for  supporting  VimVal  data 
structures:  development  of  a  simple  but  general  type  system  for  VimVal  using  type 
inference;  and  the  development  of  specialized  backup  and  recovery  procedures  for 
Vim. 

8.  VIM  STRUCTURES 

The  physical  storage  system  of  Vim  consists  of  a  semiconductor  main  store  and  a 
disk.  A  common  virtual  address  space  is  provided  to  all  users  to  facilitate  the 
sharing  of  programs  and  data.  Ideally,  the  only  information  brought  from  the  disk  into 
the  main  store  should  be  the  logical  units  of  information  •-  such  as  records  and 
arrays  -•  which  are  referenced  by  the  computation.  A  large  page  size  is  undesirable 
because  inefficient  memory  use  results  when  independent  logical  units  are  packed 
into  the  same  page.  In  conventional  systems  a  small  page  size  is  troublesome 
because  the  large  page  traffic  cannot  be  handled  efficiently.  In  particular,  the 
overlapped  execution  of  several  page  accesses  for  one  computational  process  is 
generally  impractical. 

In  the  case  of  Vim,  the  concurrency  of  the  dataflow  program  execution  model 
makes  the  overlapped  handling  of  page  accesses  much  easier  to  consider. 
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4.  NETWORK  SERVICES 


4.1.  Personal  Computer  Networking:  PC/IP 

Work  continued  on  the  development  of  network  programs  for  the  IBM  PC.  This 
year,  several  new  programs  were  written,  including  one  that  displays  all  packets  sent 
on  the  Ethernet,  which  is  useful  for  debugging.  Other  programs  placed  in  service 
include  a  file  transfer  server  package,  a  remote  printing  user  interface,  and  an 
interface  to  the  ARPANET  Network  Information  Center  name  directory.  A  major 
program  which  was  finished  was  an  implementation  of  RVD,  the  Remote  Virtual  Disk 
protocol,  for  the  IBM  PC.  RVD  was  developed  by  LCS  to  permit  shared  (read  only) 
disks  and  large  private  disks  on  Vaxes  that  actually  have  only  small  ones.  The  PC 
implementation  allows  ten  RVD  drives  on  one  machine,  making  it  possible  to  have 
tremendous  amounts  of  data  accessible.  In  the  current  implementation,  disk 
accesses  are  about  as  fast  as  a  floppy  disk.  A  drawback  of  the  current 
implementation  is  that  no  network  programs  (most  important,  TFTP)  can  write  to  an 
RVD  disk  because  of  contention  for  the  network  interface.  The  problems  are  mostly 
caused  by  the  unusual  structure  of  the  programs  and  awkward  integration  of  the 
network  with  the  PC  DOS  operating  system.  Another  major  addition  this  year  was  a 
driver  for  the  proNET  ring  interface  for  the  IBM  PC.  John  Romkey  worked  on  the 
programs  and  the  RVD  implementation. 

A  major  release  of  the  source  language  versions  of  the  PC  network  programs  was 
made,  dated  February  1.  The  release  included  most  of  the  work  done  prior  to  RVD, 
binaries  of  all  the  programs,  the  User’s  Manual  and  the  Programmer's  Manual.  It 
was  2.8  Mbytes  long.  Copyright  messages  in  the  code  grant  permission  to  do 
anything  except  remove  the  copyright  messages.  Over  50  copies  have  been  shipped 
at  a  $45  fee  that  covers  the  cost  of  a  tape,  duplication,  and  postage.  Handling  of  the 
distribution  was  done  largely  by  Muriel  Webber. 

4.2.  On-line  Directory  System 

Kimberly  Koile  completed  a  Master’s  thesis  describing  the  design  and 
implementation  of  an  online  directory  assistance  system  called  DIRSYS.  The 
system,  designed  for  use  by  members  of  the  MIT  community,  has  an  incremental 
interface  that  combines  features  of  a  paper  telephone  book  with  those  of  a  full¬ 
screen  editor  such  as  Emacs.  Each  directory  entry  is  displayed  in  a  compact  one 
line  per  entry  format,  as  arc  entries  in  a  paper  telephone  book.  Since  more 
information  is  available  for  each  entiy  than  in  a  paper  telephone  book,  a  command  is 
a\  jilable  for  changing  entries  into  a  more  expanded  format  in  which  additional 
information  is  displayed. 

Users  may  "browse"  through  this  electronic  telephone  book  by  issuing  commands 
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similar  to  fmacs’  cursor  motion  commando.  ot  they  may  coarch  foi  a  Mr.cific  name 
by  typing  the  name.  After  each  letter  that  the  user  typ;  u.  DIRGYR  moves  the 
h:,jn!t;jht.  the  moans  of  emphasizing  an  entry,  to  the  entry  whose  name-  str  ing  most 
closely  matches  what  the  user  has  typed  so  far.  This  incremental  search  mechanism 
is  similar  to  that  used  in  Emacs.  The  system  provides  a  help  facility  with  two  levels: 
the  first  level  reminds  users  of  which  commands  are  available;  the  second  level 
describes  the  function  of  a  specified  command  in  detail.  A  tutorial  is  available  for 
users  who  want  a  very  detailed  description  of  the  system. 


Finally,  DIRSYS  provides  a  facility  for  keeping  the  information  in  the  directory 
database  up-to-date.  A  user  may  submit  update  request.'.,  which  contain  information 
about  modifications  to  his  directory  entry,  to  the  DIRSYS  manager.  When  the  update 
requests  have  been  validated,  the  information  contained  in  them  is  incorporated  into 
the  directory  database  by  an  update  daemon,  a  program  that  runs  every  night  to 
update  the  database. 


A  preliminary  evaluation  of  DIRSYS  indicates  that  the  system  can  l;e  used  easily  by 
both  inexperienced  and  experienced  computer  users.  Details  of  the  evaluation  were 
described  in  the  thesis.  The  learning  aids  guide  the  novice  without  encumbering  the 
experienced  user.  The  commands  are  simple,  easy  to  use.  and  consistently 
interpreted.  The  system  provides  prompts  and  polite,  informative  messages  to  the 
user.  It  also  is  robust  in  that  it  is  very  difficult  to  cause  DIRSYS  to  fail  to  operate. 
Finally,  individuals  who  used  DIRSYS  seemed  to  enjoy  using  the  system,  oven 
though  the  system  response  was  slow  at  times,  and  agreed  Hint  a  director y  system 
such  as  DIRSYS  would  provide  a  convenient  service  for  use  both  inside  and  outside 
the  MIT  community. 

Doris  Karlson,  in  an  undergraduate  thesis,  explored  the  possibility  of  a  search 
based  on  name  sounds  as  an  alternative  to  the  incremental  search  of  DIRSYS.  A 
modified  version  of  the  Soundex  indexing  system  was  tried  on  the  MR  directory 
database.  Statistics  from  that  database  suggest  two  things:  1)  A  more  sophisticated 
indexing  system  than  Soundex  seems  necessary  for  reason. Trio  human  engineering, 
because  the  Soundex  system  tends  to  index  too  many  names  that  do  not  sound  alike 
in  the  same  category;  and  2)  The  frequency  of  similar-sounding  names  in  a  file  of 
20,000  entries  is  largo  enough  that  display  of  more  than  one  name  per  line,  20  lines 
per  display  is  requited. 


4.3.  Analysis  of  Timeout  Algorithms  for  Packet  Retransmission 

Almost  all  networking  and  distributed  systems  protocols  have  to  cope  with  the 
problem  of  determining  when  a  node  should  retransmit  a  packet  that  h:.;,  not  been 
acknowledged.  A  bad  timeout  algorithm  may  eithci  flood  the  network  with  duplicate 
copies  of  packets  and  lead  to  unwanted  congestion  or  il  may  take  too  long  to 
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retransmit  a  packet.  An  analysis  of  various  timeout  algorithms  shows  that  during 
period  of  congestion  {repeated  packet  loss),  most  timeout  algorithms  would  either 
diverge  to  extremely  high  timeout  intervals,  or  converge  to  a  rather  low  timeout 
value.  In  either  case,  the  throughput  may  be  reduced  to  virtually  zero  or  the  circuit 
may  be  disconnected  prematurely.  Raj  Jain  did  a  simulation  study  of  a  variety  of 
timeout  algorithms  and  has  compiled  a  list  of  guidelines  for  designing  such 
algorithms  and  for  setting  parameter  values. 
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1.  INTRODUCTION 

The  Distributed  Computer  Systems  Group  is  a  new  group  this  year,  formed  from 
certain  members  of  the  Computer  Systems  and  Communications  Group  and  the 
Computer  System  Structures  Group.  The  major  project  of  this  group  has  been  the 
development  of  the  Swift  Operating  System,  but  there  are  a  number  of  other  projects 
which  are  described  in  the  sections  to  follow. 

2.  SWIFT 

2. 1 .  Project  Summary 

The  Swift  Operating  System  arose  out  of  our  earlier  research  in  the  implementation 
of  network  protocols.  Recurring  performance  problems  with  protocol  software  led 
us  to  the  conclusion  that  there  was  an  underlying  problem  more  general  than 
specific  design  flaws  in  certain  protocol  suites.  Our  conclusion  was  that  existing 
operating  systems,  such  as  Unix,  failed  to  provide  the  correct  run  time  support  for 
highly  interactive  parallel  software  packages  such  as  protocols.  Swift  is  intended  to 
demonstrate  that  proper  support  for  this  kind  of  software  can  be  easily  supplied. 

The  most  novel  aspect  of  Swift  is  the  general  structure  provided  for  inter-  and  intra¬ 
process  flow  of  control  and  information.  Swift  supports  a  programming  style  loosely 
built  around  two  interrelated  concepts,  multiprocess  modules  and  upcalls. 

In  traditional  systems,  the  supervisor  consists  of  a  set  of  entry  points  which  are 
invoked  by  the  application  program.  That  is.  the  ap,  cation  makes  a  subroutine  call 
to  a  lower  level,  which  performs  some  service  for  the  application  and  then  returns. 
In  a  network  driven  environment,  most  of  the  actions  are  initiated,  not  by  the  client 
from  above,  but  by  the  network  from  below.  Therefore,  the  most  natural  flow  of 
control  is  not  down  from  above  but  up  from  below.  Most  systems  support  this 
upward  flow  of  control  poorly,  using  either  a  very  inefficient  interprocess  message  to 
achieve  this  upward  flow,  or  a  very  efficient  but  unstructured  interrupt.  Our  system 
permits  subroutines  to  be  arranged  so  that  the  natural  flow  of  control  can  either  be 
up  from  below  or  down  from  above.  Permitting  control  to  flow  in  a  natural  direction 
eliminates  many  unnecessary  process  schedulings  within  software  such  as  network 
protocols,  and  has  in  some  cases  permitted  a  tenfold  reduction  in  the  bulk  of  the 
code,  as  well  as  a  tenfold  increase  in  its  performance. 

The  upcall  strategy  eliminates  process  switching  as  a  means  of  invoking  a  software 
module  such  as  a  protocol  layer.  Traditionally,  a  protocol  layer  would  be  organized 
as  a  separate  process,  but  now  it  is  organized  as  subroutines  which  live  in  a  number 
of  processes,  cacti  callable  as  appropriate  from  above  or  below.  There  must  thus  be 
a  mechanism  for  these  various  subroutines  to  share  state  in  such  a  way  that  the 
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function  of  a  particular  module  is  carried  out.  For  this  purpose,  Swift  uses  the 
operating  system  mechanism  called  a  "monitor,"  a  shared  data  object  whose  lock  is 
managed  by  the  system  itself.  Subroutines  in  different  processes  that  collaborate 
with  each  other  constitute  a  multiprocess  module.  Swift  supports  a  programming 
style  in  which  interprocess  communicati''-'  is  never  used  as  a  way  for  one  module  to 
invoke  another,  but  rather  interprocess  communication  is  only  used  within  one 
module,  through  the  mediation  of  the  monitor  locks. 

Programs  written  using  the  philosophy  of  upcalls  and  multiprocess  modules  turn 
out,  if  written  by  sophisticated  programmers,  to  be  very  simple,  short  and  efficient. 
However,  these  tools,  in  the  hands  of  tasteless  programmers,  have  the  possibility  of 
creating  the  parallel  programming  equivalent  of  Fortran  "spaghetti  code."  One  of 
the  concerns  of  our  research  is  developing  constraints  on  the  programming  style 
which  lead  to  coherent  and  readable  programs  without  severely  impacting  the 
efficiency  and  natural  structure  of  the  code. 

There  are  two  other  features  to  Swift  which,  along  with  these  new  ideas  for 
program  structure,  distinguish  it  from  other  operating  systems.  The  first  of  these  is 
the  support  which  Swift  supplies  for  real  time  support,  and  the  other  is  the  support 
for  management  of  its  address  space. 

Swift  is  concerned  with  tasks  such  as  network  protocols,  which  involves 
scheduling  a  number  of  small  computations  to  run  in  the  1-10  millisecond  region. 
For  this  reason,  the  operating  system  that  supports  this  task  must  have  something  in 
common  with  a  real-time  operating  system,  rather  than  a  general  purpose  time¬ 
sharing  system.  Swift  contains  a  task  scheduler  which  assigns  a  priority  to  tasks 
based  on  the  real-time  deadline  of  the  task,  measured  in  milliseconds.  This  rather 
sophisticated  scheduler  is  integrated  into  the  monitor  lock  facility,  so  that  a  high- 
priority  task  encountering  the  lock  set  by  a  low-priority  task  can  promote  the  low- 
priority  task  to  run  until  such  time  as  the  lock  is  released. 

The  other  important  feature  of  Swift  is  its  approach  towards  management  of  its 
address  space.  There  are,  historically,  three  ways  toward  dealing  with  the  address 
space  in  an  operating  system.  The  first,  typified  by  Multics,  provides  a  multiple 
address  space  environment,  with  a  very  rich  set  of  tools  for  sharing  data  between 
these  address  spaces  in  a  controlled  manner.  This  provided  efficient  interprocess 
communication,  but  required  special  hardware  support  which  limited  the  portability 
of  the  system.  The  second,  typified  by  Unix,  provided  a  multiple  address  space 
environment  with  limited  tools  for  sharing  between  them.  The  elimination  of 
sophisticated  sharing  mechanisms  meant  that  there  were  no  special  hardware 
requirements  for  support  of  the  system,  so  it  could  be  easily  ported  onto  new 
machines,  but  it  meant  that  highly  parallel  computations  were  very  difficult  and 
inefficient  to  program  on  the  system.  For  Swift,  neither  of  these  approaches 
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appealed  to  us.  We  could  not  tolerate  the  inefficiency  of  a  Unix-like  interprocess 
communication  mechanism,  and  we  were  not  interested  in  a  system  with  strong 
requirements  for  specialized  hardware  support.  Swift  thus  chose  a  third  option  for 
address  space  management,  which  is  to  put  all  the  computations  of  the  system  into  a 
single  large  address  space.  Clearly,  this  requires  no  special  hardware  support,  and 
it  certainly  provides  very  efficient  communication  between  different  tasks.  The  major 
drawback  of  this  approach,  which  is  almost  overwhelming,  is  that  the  broad  sharing 
of  a  single  address  space  means  that  program  bugs  cause  corruption  of  arbitrary 
parts  of  storage,  leading  to  crashes  which  are  almost  impossible  to  debug.  We  thus 
set  ourselves  a  goal  of  building  a  single  address  space  operating  system  with 
sufficient  restraints  that  program  development  and  execution  would  be  stable  and 
predictable,  even  though  each  task  address  space  was  nominally  shared  with  all  of 
the  other  tasks  on  the  system. 

The  approach  we  took  to  this  is  to  program  Swift  in  a  language  which  uses  compile 
and  run-time  checking  to  detect  erroneous  references  to  memory  and  other  similar 
bugs.  Specifically,  we  have  implemented  Swift  in  the  CLU  programming  language. 
CLU  performs  such  tests  as  bounds  checking  for  array  references,  and  most 
important  it  prevents  the  use  of  an  arbitrary  bit-pattern  as  a  pointer,  so  that 
references  through  arbitrary  bit-patterns  cannot  corrupt  unexpected  locations  in 
memory. 

The  most  insidious  bug  which  can  arise  in  a  system  such  as  this  is  the  use  of  a  bad 
pointer,  not  because  the  pointer  has  been  created  incorrectly,  but  because  the 
pointer  points  to  a  location  in  memory  which  has  been  de  allocated  and  reused.  This 
can  easily  happen  in  a  multi  task  environment,  if  one  task  believes  that  an  object  is 
no  longer  needed,  while  another  task  continues  to  use  that  pointer.  The  only  way  to 
avoid  this  class  of  bug  is  to  take  de  allocation  of  storage  away  from  the  application 
and  perform  it  in  the  system.  This  is  the  function  called  Garbage  Collection.  One  of 
the  challenges  of  the  Swift  system  is  to  develop  a  garbage  collector  suitable  for  the 
operating  system  environment. 

2.2.  Project  Status 

A  major  effort  effort  over  the  last  year  has  been  the  moving  of  the  Swift  system  from 
the  Vax  onto  a  68000  processor.  This  move  was  necessitated  by  several 
architectural  limitations  of  the  Vax,  in  particular  the  very  inefficient  I/O  structure,  by 
the  lack  of  an  all-points-addressable  display  for  the  Vax,  and  by  the  high  cost  of  the 
Vax.  which  prevented  the  deployment  of  the  machine  in  suitable  numbers.  Swift  is 
now  running  on  a  68000-based  machine  which  we  have  assembled  out  of 
commercially  purchased  cards.  In  retrospect,  a  great  deal  of  group  effort  went  into 
making  usable  a  machine  which  was  somewhat  cheaper  than  would  have  been  ideal: 
however.  Swift  is  now  running  and  we  are  proceeding  with  a  number  of 
improvements  which  were  not  possible  within  the  Vax  version  of  the  system. 
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Considerable  effort  has  been  invested  in  the  design  of  a  suitable  garbage  collector 
for  Swift.  Ideally,  our  garbage  collector  would  have  the  following  characteristics. 
First,  it  is  incremental,  collecting  garbage  a  little  at  a  time  while  the  system  runs, 
rather  than  stopping  the  system  while  all  of  memory  is  examined.  Second,  it  should 
not  move  objects  around  as  a  part  of  collecting  garbage,  because  I/O  devices  may 
have  pointers  into  memory,  which  are  difficult  to  find  and  change  arbitrarily.  Third,  it 
should  not  require  a  large  quantity  of  additional  memory  to  use  as  the  temporary 
storage  area  for  the  garbage  collection  process. 

A  number  of  very  creative  ideas  were  proposed  for  the  Swift  system,  taking  into 
account  that  the  system  is  intended  to  run  on  a  desktop  workstation  or  similar  node 
of  a  networked  distributed  system.  If  we  truly  believed  that  network  communication 
was  extremely  rapid,  then  an  obvious  way  to  garbage  collect  one's  environment  is  to 
make  a  snapshot  of  it  and  send  the  snapshot  across  the  net  to  a  cleaning  machine 
which  would  send  back  a  laundered  version  of  the  address  space.  However,  it 
seems  difficult  to  get  the  necessary  throughput  across  the  net.  Certain  garbage 
collection  strategies,  in  particular  the  one  proposed  by  Dijkstra,  seem  directly 
relevant  to  what  we  are  doing  and  have  been  implemented  for  trial  later  this  year. 
Perhaps  the  most  novel  garbage  collector  we  have  proposed  is  the  Probabilistic 
Parallel  Garbage  Collector  (PPGC).  This  superficially  silly  idea  involves  allowing  the 
garbage  collector  to  run  in  parallel  with  the  other  tasks,  without  the  traditional 
interlocks.  This  raises  the  possibility  that,  under  certain  very  anomalous 
circumstances,  the  garbage  collector  may  declare  as  garbage  something  that  is  not. 
However,  there  are  ways  that  this  event  can  be  tested  after-the-fact,  which  means 
that  the  investment  of  additional  bacKground  cycles  from  the  machine  can  reduce  to 
an  acceptable  level  the  probability  that  we  have  made  an  error.  Unfortunately,  we 
cannot  come  up  with  any  analytical  model  that  tells  us  exactly  what  the  probability  of 
failure  is.  Thus,  we  are  experimenting  with  PPGC,  under  a  variety  of  program  loads, 
to  determine  under  what  circumstances  errors  may  arise.  It  has  been  difficult  to 
assess  the  probability  so  far,  since  we  have  not  yet  had  a  single  garbage  collection 
error  due  to  the  probabilistic  assumption. 

CLU,  as  it  is  used  as  an  application  programming  language  at  MIT,  does  not  have 
any  dynamic  linking  capability.  That  is,  one  compiles  all  the  programs  that  are  to  be 
part  of  the  current  run,  then  one  statically  links  them,  and  then  one  brings  this  static 
load-image  into  execution.  Swift  requires  a  dynamic  linking  capability,  and  over  the 
last  year  this  has  been  designed  and  implemented.  We  are  now  testing  a  dynamic 
loader  which  will  bring  subsystems  into  a  running  CLU  environment  and  dynamically 
resolve  all  of  the  cross-module  references. 

A  more  difficult  problem  is  unlinking  the  module  and  removing  it  from  the 
environment  after  it  is  needed.  It  could  be  argued  that  this  step  is  unnecessary. 
However,  this  will  cause  the  size  of  the  link-image  to  grow  continuously,  which 
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means  that  the  memory  management  algorithm  must  be  more  sophisticated  than  if 
modules  can  be  thrown  out  when  they  are  no  longer  needed.  Since  we  do  not  wish 
to  make  sophisticated  assumptions  about  our  virtual  memory  (since  we  want  the 
system  to  be  portable  onto  a  wide  variety  of  hardware)  and  since  virtual  memory 
techniques  are  fairly  well  understood,  we  are  concentrating  our  energy  on  exploring 
the  higher-  level  auestion  of  whether  or  not  programs  can  be  unlinked  and  removed 
from  the  address  space  of  the  system,  either  to  suspend  them  while  they  are  running 
or  to  remove  them  when  they  are  no  longer  needed.  Preliminary  design  for  this 
approach  is  now  completed. 

Most  operating  systems  provide  a  file  system  for  their  users  and  Swift  is  no 
exception.  However,  we  were  uninterested  in  writing  the  necessary  device  drivers  to 
permit  Swift  to  support  disks.  Instead,  as  part  of  Swift,  we  have  developed  a  remote 
file  system  protocol,  which  permits  Swift  to  utilize  file  systems  stored  on  other 
machines.  We  have  implemented  a  simple  server  for  this  protocol,  and  the 
implementation  of  the  Swift  interface  is  almost  complete. 

We  have  implemented  a  number  of  test  applications  on  Swift,  in  order  to  determine 
system  performance  and  to  stress  the  garbage  collector.  Perhaps  the  largest  is  the 
text  editor  Ted,  which  is  a  very  popular  CLU  program  on  both  TOPS  20  and  Unix.  As 
scon  as  the  file  system  is  wmking,  we  will  be  able  to  run  a  fully  usable  version  of  Ted 
on  Swift,  which  will  give  us  a  considerable  test  of  the  system's  performance. 

One  of  the  most  interesting  applications  has  always  been  network  protocols 
themselves,  and  we  are  currently  rewriting  our  earlier  implementation  of  the  protocol 
package  for  Swift,  in  order  to  improve  its  performance,  and  to  get  more  experience 
with  the  proper  structure  of  such  programs  inside  Swift. 

2.3.  Future  Directions 

The  major  implementation  effort  on  Swift  will  probably  finish  within  the  next  six 
months.  At  that  point  there  will  be  a  major  project  review  to  determine  what  future 
direction  the  project  will  take.  There  are  two  important  questions  which  we  wish  to 
answer  before  the  project  terminates.  The  first  of  these  is  whether  we  can 
understand  how  to  structure  programs  built  around  the  concepts  of  upcalls  and 
multiprocess  modules.  These  concepts  give  the  programmer  great  freedom,  and  it 
has  been  noticed  in  the  past  that  great  freedom  sometimes  leads  to  very  poor 
programming  style.  We  thus  identify  a  conflict  between  our  desire  for  the  efficiency 
which  comes  from  the  these  new  tools,  and  the  desire  to  have  constraints  that  lead 
to  good  style.  We  feel  that  Swift  has  taught  us  some  fresh  insights  about  the 
construction  of  multiprocess  programs,  and  we  are  anxious  to  understand  this  in  as 
general  a  manner  as  possible.  Second,  we  are  anxious  to  learn  how  effectively  we 
can  achieve  our  goal  of  supporting  reliably  a  single  address  space  operating  system. 
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In  order  to  do  this  we  must  experiment  further  with  garbage  collection  and  with 
linking  and  unlinking. 

In  order  to  achieve  these  goals,  we  feel  that  it  may  be  necessary  to  implement 
additional  application  programs  which  utilize  the  features  of  Swift,  however,  the 
hardware  base  on  which  we  run  is  sufficiently  unstable  that  large-scale  software 
development  is  not  tractable.  We  must,  therefore,  make  a  decision  as  to  whether  we 
will  move  Swift  onto  yet  a  third  hardware  base. 

2.4.  Related  Activities 

There  are  a  number  of  small  activities  which,  although  not  strictly  a  part  of  the 
Swift  Project,  are  closely  associated  with  it  within  our  group.  These  include  our 
support  of  Unix,  which  is  used  as  the  program  development  environment  for  Swift, 
development  of  a  tasking  package  for  the  IBM  PC  which  supports  many  of  the  same 
programming  conventions  of  Swift  (most  particularly  upcalls),  and  the  support  of  the 
Remote  Virtual  Disk  Protocol. 

Remote  Virtual  Disk  (RVD)  is  a  protocol  which  lets  one  machine  attach  to  a  file  on  a 
server  machine  and  to  use  that  file  as  if  it  were  a  disk.  Our  group  initially  developed 
RVD  to  expand  the  disk  space  on  our  Vaxcs,  and  the  tool  has  now  become  a  widely 
used  facility  within  the  Vax-Unix  community  of  LCS.  However,  the  server  which  we 
initially  implemented,  which  was  not  really  intended  to  provide  serious  operational 
support,  needs  rewriting  in  order  to  be  sufficiently  robust,  and  the  Computational 
Resources  Group  has  undertaken  the  task  of  producing  and  running  a  better  server 
for  RVD.  User  programs  for  RVD  exist  for  Unix  4.2,  and  for  the  IBM  PC. 

3.  DISTRIBUTED  ARCHITECTURES  FOR  MAIL 

For  many  users,  computer  mail  has  been  the  most  important  application  of 
computer  networks.  The  software  tor  distribution  and  foiwarding  of  mail  is  very  well 
developed  at  this  point,  but  the  software  for  displaying,  generating  and  archiving 
mail  is  still  based  on  the  assumption  of  a  centialized  time  sharing  machine.  The  goal 
of  this  protect  is  to  develop  a  user  interface  to  a  mail  system  which  is  suitable  for  a 
personal  computer  model  of  distributing  computing. 

In  the  centralized  view  of  mail,  each  user  is  served  by  a  particular  machine  on 
which  is  located  the  user  mailbox,  as  well  as  the  necessary  software  to  manipulate 
this  mailbox.  The  assumption  is  that  the  user  directly  logs  in  to  the  machine  on 
which  the  mailbox  is  located.  The  machine  containing  the  mailbox  uses  some 
standard  mail  forwarding  protocol  to  communicate  with  other  mailbox  machines 
located  around  the  network,  in  order  that  mail  is  properly  forwarded.  For  this 
reason,  the  mailbox  machine  must  be  available  us  a  server  on  the  network  essentially 
all  the  time. 
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Since  the  mailbox  machine  must  operate  like  a  server,  it  is  not  appropriate  for  a 
personal  computer  to  be  the  mailbox  machine.  A  personal  computer  may  be 
powered  off  much  of  the  time,  and  even  if  it  is  physically  powered  on  and  connected 
to  a  network,  may  not  be  able  to  run  server  code  as  a  background  job. 

We  have  developed  a  new  architecture  for  mail  software,  to  cope  with  the 
characteristics  of  a  personal  computer.  Our  design  divides  the  traditional  functions 
of  a  mail  processing  node  into  two  parts,  the  management  of  the  mailbox  and  the 
execution  of  the  user  interface  software.  These  functions  are  implemented  on 
different  machines;  the  mailbox  is  stored  on  a  centralized  server  called  a  repository, 
and  the  user  interface  software  runs  on  a  personal  computer. 

The  goal  of  this  research  is  twofold.  First,  this  project  is  attempting  to  produce 
software  that  can  be  used  in  practice.  Several  of  our  existing  mail  nodes  are  heavily 
overloaded,  so  the  ability  to  read  mail  on  a  personal  computer  would  simultaneously 
remove  a  burden  from  our  centralized  time  sharing  systems,  as  well  as  providing  a 
mail  processing  environment  which  is  more  responsive  and  interactive.  More 
importantly  however,  this  research  has  a  goal  of  exploring  how  traditional 
applications  should  be  restructured  in  the  context  of  a  distributed  computing 
environment.  Several  interesting  problems  arise,  which  we  cannot  yet  solve  in 
general,  but  which  we  can  explore  using  mail  as  a  particular  example. 

The  first  problem  is  that  the  personal  computer  may  not  have  continuous  access  to 
the  data  stored  in  the  repository.  In  fact,  the  personal  computer  may  be 
disconnected  from  the  network  much  of  the  time.  In  particular,  we  would  like  to 
permit  the  user  to  send  and  receive  mail  at  a  time  when  a  network  connection  is  not 
open.  This  will  permit  a  portable  computer  to  be  used  as  an  interface  to  the  mail 
system.  This  means  that  a  temporary  copy  of  the  user’s  mailbox  must  be  created  in 
the  personal  computer,  matching  as  closely  as  possible  the  master  copy  which  is 
stored  in  the  repository.  We  thus  have  multiple  copies  of  the  database  describing 
the  mailbox,  which  are  almost  always  partitioned,  but  only  occasionally  able  to  talk  to 
each  other.  Updates  can  occur  to  either  copy,  and  the  software  must  do  its  best  to 
keep  all  of  the  versions  consistent. 

The  second  problem  is  that  the  user  may  wish  to  interact  with  the  mail  system  from 
a  number  of  personal  computers,  and  he  would  like  to  see  a  consistent  view  of  his 
mailbox,  no  matter  which  personal  computer  is  acting  as  a  front  end.  This  means 
that  in  addition  to  the  master  copy  stored  in  the  repository,  there  may  be  several 
rather  than  one  auxiliary  copies,  each  of  which  has  a  slightly  different  version  of  the 
mailbox  in  it.  This,  plus  an  additional  requirement  that  the  system  must  recover 
whenever  a  personal  computer  crashes  and  loses  its  copy  of  the  mailbox,  makes 
very  difficult  the  problem  of  keeping  the  user's  view  of  the  mailbox  consistent. 

During  the  last  year,  we  have  designed  the  mailbox  repository,  the  user  interface, 
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and  the  protocol  which  hooks  them  together.  The  protocol  contains  some  rather 
sophisticated  error  recovery  mechanisms,  so  that  the  connection  can  be  disrupted 
at  an  arbitrary  point  without  causing  the  various  copies  of  the  mailbox  to  diverge  in 
an  irreconcilable  manner.  We  have  a  prototype  implementation  of  the  repository, 
and  over  the  next  six  months  we  intend  to  demonstrate  a  running  repository  and  a 
user  interface  program  running  on  an  IBM  Personal  Computer. 

4.  NETWORK  ROUTING  AND  RESOURCE  CONTROL 

Elizabeth  Martin  continued  to  study  dynamic  routing  problems  in  an  internet.  We 
have  been  participating  in  the  development  of  the  Exterior  Gateway  Protocol,  which 
will  be  used  to  pass  routing  information  between  gateways  in  the  DARPA  Internet, 
and  have  proposed  some  schemes  for  dynamic  routing  within  the  MIT  Internet,  a 
subsection  of  the  DARPA  Internet. 

4.1.  Exterior  Gateway  Protocol 

The  Exterior  Gateway  Protocol  (EGP)  partitions  groups  of  gateways  in  the  DARPA 
Internet  into  Autonomous  Systems  of  gateways.  The  gateways  in  an  Autonomous 
System  (AS)  are  programmed,  maintained,  and  administered  by  one  organization. 
Gateways  in  different  Autonomous  Systems  exchange  routing  information  using 
EGP.  EGP  consolidates  the  amount  of  routing  information  that  is  exchanged  and 
provides  a  more  controlled  method  of  passing  information  between  gateways  who 
may  or  may  not  trust  each  other.  Gateways  within  an  AS  use  their  own  conventions 
for  passing  routing  and  up/down  information  among  themselves;  these  gateways 
are  free  to  experiment  with  different  routing  algorithms. 

Defining  rules  for  the  internet  routing  topology  and  for  the  dispersal  of  routing 
information  that  prevent  routing  loops  has  proved  to  be  very  difficult.  Consequently, 
the  early  version  of  EGP  which  is  expected  to  become  a  DARPA  standard  this 
summer  is  very  restrictive. 

We  have  participated  in  specifying  EGP  and  in  studying  the  routing  issues  this 
protocol  is  attempting  to  address.  We  have  implemented  EGP  for  our  C  gateway. 


4.2.  Interior  Gateway  Protocol 

The  MITnet  consists  of  about  45  interconnected  LANs  (called  subnets),  and  is 
expected  to  grow  to  about  200  LANs  by  1990.  It  is  becoming  increasingly 
inconvenient  to  manually  change  the  subnet  routing  tables  in  all  the  MIT  gateways 
every  time  a  new  subnet  and  gateway  is  added  to  the  MITnet.  Therefore,  we  have 
specified  a  subnet  routing  protocol  (our  Interior  Gateway  Protocol)  to  be  used  to  tell 
gateways  within  the  Ml  Tnet:  first,  which  gateway  to  use  to  get  to  which  exterior  nets 
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the  study  in  that,  when  they  achieve  a  level  of  mastery  of  the  computer,  students  will 
be  able  to  take  machines  to  their  own  homes.  The  project  is  scheduled  to  run  until 
the  end  of  the  1984  85  school  year. 

The  project  is  empnasizing  use  of  the  computer  as  a  tool  in  all  aspects  of  the 
students'  education.  The  children  are  learning  to  program  in  Logo  and  will  aiso  use 
software  packages  written  in  Logo.  A  key  research  interest  are  the  different  learning 
styles  exhibited  by  the  students  and  the  effects  of  using  the  computers  on  those 
learning  styles. 

The  day  to-day  supervision  of  the  project  is  being  carried  out  by  the  project 
director.  David  Scrimsnaw,  working  under  Dr.  Papert.  Four  undergraduates  have 
been  programming  Logo  software  for  use  by  the  elementary  school  students. 

There  are  two  teachers  at  each  school  involved  in  the  project.  The  first  is  the 
prime  teacher,  the  teacher  of  the  class  we  will  be  studying.  The  second  is  a  backup 
teacher,  a  teacner  of  a  neighboring  class  who  will  have  several  computers  in  her 
class  and  will  attend  all  meetings  and  sessions  that  the  prime  teacher  attends.  The 
purpose  of  the  backup  teacher  is  to  stand  in  for  the  prime  teacher  if  needed,  to 
provide  support  tor  the  prime  teacher  and  to  be  an  additional  consultant  to  the 
research  group  on  classroom  teaching  matters. 

The  teachers,  other  project  members,  and  a  group  of  university  students, 
educators  and  non  Mir  lesearchers  (totalling  25)  have  been  meeting  each  week  to 
plan  and  conduct  the  research  for  the  project.  Most  of  the  classroom  observation 
will  be  carried  out  by  members  of  this  group. 

3.2.  The  Carroll  School 

Sylvia  Weir  has  been  working  in  the  Carroll  School  with  11-13  year  old  learning 
disabled  children  and  Logo.  The  fundamental  postulate  of  tins  work  is  that  a  certain 
segment  of  the  population  consists  ot  children  with  learning  deficits  that  may  be 
characterized  as  linguistic/analytic,  but  who  may  be  very  talented  in  terms  of  spatial 
reasoning  and  "perceptual  matnematics  "  These  children  may  well  be  classified  as 
hyperactive  and  show  learning  styles  which  are  very  tar  from  "planful"  or  "top 
down."  In  view  of  these  characteristics,  standard  school  settings  and  curricula 
discriminate  strongly  against  these  children. 

This  year  a  set  of  measures  of  spatial  and  perceptual  abilities  have  been 
developed.  They  show  a  clear  bimodnl  distribution  among  children  at  the  school, 
indicating  a  very  particular  subpopulation  of  children  (those  in  the  high  mode)  with 
strengths  that  are  not  being  capitalized  on.  Work  has  begun  on  developing  Logo- 
based  materials  and  techniques  that  build  on  their  strengths,  rather  than  keeping 
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search  the  journal  and  return  a  box  containing  ports  to  entries  which  have  specified 
key  words  --  constructing  another  view  at  need,  rather  than  incrementally  as  the  BY- 
TOPIC  view  is  constructed.  One  could  even  write  a  procedure  to  completely 
reorganize  the  journal. 

2.3.  Future  Work 

Our  planned  future  work  on  Boxer  includes: 

•  developing  a  message  passing  semantics  for  Boxer; 

»  defining  the  basic  graphical  objects  and  operations  of  the  system;  and 

•  making  a  microcomputer  implementation. 


3.  THE  EDUCATIONAL  CONTEXT 

During  the  last  year,  there  were  three  principal  sites  for  working  with  teachers  and 
students:  The  Quincy  and  Ohrenberger  Schools  in  Boston  (High  Density  Project),  the 
Carroll  School,  and  MIT  itself.  In  addition  to  this  work,  we  hosted  the  first  National 
Logo  Conference  with  over  450  participants  from  more  than  20  countries  (June  27  - 
30).  The  conference  highlights  the  major  impact  our  work  has  had  on  education  at 
the  national  and  international  scales. 

3.1 .  The  Quincy-Ohrenberger  High  Density  Project 

Computers  are  becoming  a  common  sight  in  today's  classroom.  There  are  two 
reasons  for  this.  The  first  is  that  as  they  become  more  common  in  society,  there  is  a 
greater  perceived  and  actual  need  to  teach  people  how  to  use  them.  The  second 
and  more  powerful  reason  is  that  computers  can  be  used  to  dramatically  enhance 
the  learning  of  essentially  all  other  subjects.  There  will  come  a  day  when  every 
school  child  has  a  computer.  Before  this  happens  it  is  important  to  look  ahead  to 
explore  the  possibilities  and  anticipate  the  problems  posed  by  such  a  high  density  of 
computer  power.  The  Quincy-Ohrenberger  High  Density  Project  will  explore  these 
questions. 

This  project,  under  the  direction  of  Seymour  Paper!,  is  studying  the  use  of 
computers  and  Logo  by  elementary  school  students  in  two  Boston  elementary 
schools.  A  class  of  22  third  graders  at  the  Ohrenberger  School  in  West  Ftoxbury  will 
use  1 1  computers,  and  a  class  of  20  fourth  graders  at  the  Quincy  School  in 
Chinatown  will  use  20  computers.  This  will  produce  a  higher  density  of  computers 
per  child  than  any  that  has  been  tried  in  an  elementary  classroom  before.  The 
computer  to  be  used  is  the  Coleco  Adam.  There  will  also  be  a  home  component  of 
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JOURNAL : 


data - 

BY-CHRONOLOGY:  data 

|////| 


BY-TOPIC:  data . . 

PORTS:  data . . 

port - 

I  TOP IC :  data- 
|Ports| 


KEYWOROS:  data . - . 

|Cross  Referencing  | 


DATE:  data - 

111-10-83  | 


Ports  are  also  good  for  cross 
referencing.  Here,  for  example, 
is  a  port  to  a  related  box. 
port 
|////| 


port 


port 


QUARTS:  data 


STEPPER:  data 
(////! 


Figu  re  6-3:  The  first  box  in  the  PORTS  section  of  BY-TOPIC  is  a 

port  to  the  first  entry  shown  in  the  previous  figure.  The  other  ports 
in  that  section  are  to  other  entries  in  BY-CHRONOLOGY. 
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JOURNAL:  data . - . " 

BY -CHRONOLOGY:  data . . 

ENTRY:  data . 

I  TOPIC:  data- 
I  |  Ports  J 


KEYWORDS:  data . . 

|Cross  Referencing  | 


DATE:  data . 

111-10-83  | 


Ports  are  also  good  for  cross 
referencing.  Here,  for  example 
is  a  port  to  a  related  box. 
port 
l////| 


ENTRY:  data . 

I  TOPIC:  data . . 

i  (Something  Else] 


KEYWORDS:  data . 

| F oo ,  Bar  | 


DATE:  data - 

111-11-83  | 


Text  ...  Text  . .  .  Text  . . . 


ENTRY:  data . 

I  TOPIC :  data - 

|  |Stepper  | 


DATE:  data - 

111-12-83  | 


We  have  the  option  of  laying  out 
copies  horizontally,  Tittle  man  style, 
as  opposed  to  copy- in-place .  8ut  does 
this  complicate  understanding  lookup?? 


BY-TOPIC:  data 

\"JJ  I 


Figure  6-2:  A  Journal  contains  two  views  of  its  entries,  BY-CHRONOLOGY 

and  BY-TOPIC. 
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organization  of  the  system.  The  primary  difference  between  a  port  and  a  window  is 
that  the  port  itself  is  spatially  located  in  the  system  hierarchy,  not  attached  to  the 
screen.  A  port  appearing  in  a  data  structure  indicates  that  the  contents  of  the  port  is 
shared  in  basically  the  Lisp  sense.  A  difference  between  Boxer  sharing  and  Lisp 
sharing  is  that  any  object  really  belongs  to  (is  contained  in)  a  unique  other  object 
and  can  only  be  “used”  in  other  places. 

in  the  context  of  sharing,  one  can  see  a  subtle  but  important  shift  in  the  meaning  of 
variables  from  Lisp  and  Smalltalk  to  Boxer.  The  meaning  of  setting  a  variable  in 
Boxer  is  to  change  the  contents  of  a  box,  so  that  any  port  to  that  box  sees  the 
change.  In  Lisp,  one  cannot  share  in  this  way.  A  second  object  can  indeed  point  to 
the  value  of  a  variable,  but  changing  the  setting  of  that  variable  creates  a  new 
pointer  from  the  name  to  the  new  value,  leaving  the  object  which  shared  the  old 
value  still  pointing  to  it.  This  all  means  an  extra  layer  of  indirection  in  implementing 
Boxer  variables.  But  that  layer  corresponds  to  a  key  idea  -  it  represents  place:  If  a 
variable  is  to  have  a  place,  that  place  must  remain  invariant  in  the  process  of  setting 
the  variable,  and  that  fact,  in  turn,  must  be  represented  in  the  implementation. 

The  following  example  shows  the  usefulness  of  ports  in  cross  referencing  and  in 
producing  multiple  views  of  a  system.  It  also  happens  to  be  a  fine  example  of  Boxer 
used  as  a  personal  information  system. 

Keeping  a  personal  database  in  Boxer  is  a  trivial  matter.  Here,  we  use  ports  to 
make  available  an  alternate  organization  of  entries  in  a  journal.  The  top  box  in 
Figuic  6  2,  BY-CHRONOLOGY,  contains  all  entries  in  chronological  order.  The 
bottom  box.  shown  expanded  in  Figure  6-3  contains  the  same  entries  reorganized 
(via  ports)  according  to  topic.  The  intent  is  to  allow  the  journal  keeper  to  access  an 
entry  according  to  preference  or  how  he  remembers  it:  “I  seem  to  remember  writing 
something  about  that  a  week  or  so  ago;"  versus  "Let  me  see  what  I  have  on  the  topic 
of  ports.”  Because  ports  are  views  on  objects  which  appear  in  another  place,  any 
change  made  in  a  port  is  instantly  reflected  in  the  original  entry.  If  both  the  port  and 
the  target  of  the  port  ore  on  the  screen,  typing  into  either  results  in  the  characters 
appearing  in  both. 

We  imagine  the  protocol  for  using  such  a  journal  to  be  something  like  the 
following.  One  can  make  an  entry  by  copying  the  form  of  a  previous  entry,  or  using  a 
template  as  described  for  mail  above.  Actually  putting  the  entry  in  place  could  be 
handled  with  a  FILE  function,  which  would  make  sure  to  insert  a  port  to  the  new 
entry  under  the  appropriate  topic  in  the  BY-TOPIC  listing.  Of  course,  one  could  also 
have  an  UPDATE  function  which,  when  executed,  placed  a  port  to  any  new, 
unported  entries  in  the  BY  TOPIC  listing  These  utilities,  FILE  and  UPDATE,  are 
actually  not  very  complex  Boxer  procedures,  though  one  would  not  expect  early 
novices  to  write  them.  They  could  be  augmented  with  procedures  to,  for  example, 
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by-one  and  then  at  some  later  time  indicate  that  the  typed  statements  should  be 
incorporated  into  a  program.  Consequently,  programming  in  Boxer  is  often  not  so 
much  "writing"  programs  as  it  is  piecing  them  together  concretely  from  objects 
already  in  the  system. 


2.2.  Focus  of  Our  Work  This  Year 

Last  year  we  built  a  minimal  but  usable  implementation  of  Boxer  on  a  CADR  Lisp 
Machine.  During  this  year  we  transported  the  system  to  a  Symbolics  Machine  and 
filled  out  the  basic  functionality  of  the  system,  including  improving  and  extending  the 
editor.  Among  the  basic  issues  settled  during  the  year  were  the  set  of  data 
operations  and  how  they  relate  to  sharing  structure.  We  illustrate  this  work  here  by 
describing  a  new  structure  added  to  Boxer. 

Ports:  Boxer  maintains  a  strong  identification  of  "things''  with  “places,”  and 
"organization”  with  “spatial  relationship"  (in  particular,  containment  implies 
inheritance).  This  provides  a  firm  foundation  for  easy,  incremental  learnability  of  the 
system  through  inspection  and  through  a  uniform  method  of  interpreting,  modifying 
and  expanding  what  one  sees.  Nonetheless,  these  identifications  are  very  strong 
constraints  on  system  organization  and  possible  interpretations  of  “running  a 
program."  In  particular,  Boxes  are  strictly  hierarchical,  and  each  box  exists  in 
precisely  one  place.  This  means  it  is  impossible  to  share  in  pure  Boxer  as  on  can  in 
Lisp,  having  an  object  be  part  of  more  than  one  other  object  (via  multiple  pointers  to 
the  shared  object).  It  also  means  one  has  only  a  single  view  of  any  object  in  the 
system  ••  that  provided  by  the  spatial  context  where  the  object  exists.  In  contrast, 
one  may  sometimes  want  to  see  things  on  the  screen  that  are  related  in  some  way 
other  than  with  respect  to  their  system  organization.  While  running  a  program  in 
some  environment,  one  might  wish  to  view  the  changing  contents  of  some  distant 
data  box.  Or  one  might  want  to  be  looking  at  some  part  of  the  system  while 
constructing  another  part,  say  constructing  a  program  in  analogy  with  another  from 
a  different  context.  Window  systems  were  invented  partially  to  serve  this  kind  of 
function. 

Sharing  and  multiple  views  are  not  of  first-rank  importance  to  novices,  but  they  are 
important  enough  that  we  would  like  to  incorporate  them  for  more  advanced  users. 
To  meet  this  need  we  have  implemented  a  single  structure  that  provides  much  of  this 
functionality,  but  which  we  consider  minimally  subversive  of  the  box  semantics.  It  is 
called  a  port  ("view  port")  and  has  most  of  the  properties  of  a  box.  It  appears  as  a 
rectangular  region  that  can  be  named  and  is  constructed  and  erased  in  essentially 
the  same  way  that  a  box  is.  But  its  meaning  is  a  passageway  to  another  part  of  the 
system.  What  one  sees  in  a  port  is  a  part  of  the  system  located  in  another  place. 
Thus  one  can  inspect  and  even  change  remote  objects.  In  general,  one  can  pretend 
that  another  part  of  the  system  is  in  the  place  of  viewing  without  changing  the  “real" 
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2.1.  Design  Principles  of  Boxer 

One  of  our  major  concerns  in  formulating  the  design  of  Boxer  is  to  provide  a 
mechanism  that  will  enable  even  beginning  users  to  deal  with  the  large-scale 
structure  of  the  system.  The  approach  we  have  adopted  is  to  organize  Boxer  in 
terms  of  a  pervasive  spatial  metaphor.  Elements  of  the  environment  can  be  thought 
of  as  places,  and  their  visible  spatial  relationships  have  structural  meaning.  All 
compound  objects  are  versions  of  "boxes''  which  are  two  dimensional  arrays  of 
words  or,  recursively,  boxes.  The  containment  relation  among  boxes  provides,  via 
the  spatial  metaphor,  a  model  of  all  hierarchical  structural  relations  in  the  system, 
from  variable  scoping,  through  program/sub-program  structure  to  index  and  file 
arrangement.  In  fact,  the  entire  system  can  be  regarded  as  a  single  two-dimensional 
geometric  space  through  which  the  user  moves.  This  is  a  crucial  aspect  of  making 
the  system  accessible  to  beginning  users,  since  it  links  the  central  organizing  image 
of  the  system  to  geometric  intuitions. 

Figure  6-1  shows  a  simple  example  of  spatial  organization  in  a  procedure  called 
SQUARE,  which  draws  a  square  on  a  graphics  display  screen  by  repeating  four 
times  a  sequence  of  two  moves  called  CORNER.  Notice  that  the  definition  of  the 
CORNER  procedure  is  geometrically  contained  within  the  SQUARE  procedure.  This 
shows  how  boxes  can  be  used  to  achieve  the  usual  organization  of  block-structured 
languages.  In  Boxer,  we  extend  this  principle,  using  boxes  as  geometric  carriers  of 
many  other  hierarchical  structures  as  well. 


SQUARE  :+- - - - + 

CORNER  :+- . . . ---  + 

I  forward  100  I 

(  right.  90  | 

+ - + 


REPEAT  4  + - + 

(corner  | 

+ - + 


+ - + 


Figure  6-1:  Spatial  Organization 

A  second  design  principle  in  Boxer  is  the  identification  of  objects  with  their  screen 
representations.  This  is,  in  essence,  a  consistent  commitment  to  the  idea  that  the 
system  is  the  way  it  appears  on  the  screen.  For  example,  any  text  that  appears  on 
the  screen,  whether  typed  by  the  system,  typed  by  the  user,  previously  executed  or 
not,  is  available  to  be  manipulated,  edited  or  executed.  This  uniformity  enables 
Boxer  to  support  styles  of  interactive  use  that  are  very  different  from  those  found  in 
other  computational  environments.  For  example,  one  can  execute  statements  one- 
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1.  INTRODUCTION 

Serious  work  in  education  today  requires  an  extraordinary  breadth  of 
competences  and  concerns  which  we  can  partition  into:  (1)  technology,  (2)  the 
educational  context  (students,  teachers  and  curriculum),  and  (3)  cognition.  In  the 
Educational  Computing  Group  we  accept  the  need  to  work  simultaneously  in  all  of 
these  areas  ■  understanding  the  basic  principles  of  learning  and  knowing, 
fashioning  computational  tools  from  those  principles,  and  developing  learning 
materials  and  teaching  techniques  which  are  responsive  at  once  to  the  best  current 
ideas  about  learning,  the  most  promising  uses  of  technology  and  the  realities  of  the 
classroom. 

In  the  area  of  technology,  our  major  work  is  the  Boxer  project  which  aims  at 
providing  the  most  general,  easy-to-use  computational  facilities  possible  for  non¬ 
expert  computer  users  such  as  students,  trainees,  teachers  and  computer-materials 
developers.  The  educational  context  is  represented  by  our  work  in  a  number  of 
settings,  including  an  experiment  in  very  high  density  of  computers  in  two 
elementary  classrooms  in  the  Boston  Public  Schools:  work  in  the  Carroll  School  with 
learning  disabled  youngsters,  and  work  with  MIT  undergraduates  under  the  auspices 
of  Project  Athena.  Our  work  on  cognition  has  been  spread  across  projects.  It  has 
centered  on  understandability  of  complex  computational  systems  in  the  Boxer 
Project,  on  spatial  reasoning  at  the  Carroll  School,  and  on  studying  children's 
notions  about  physics  in  connection  with  the  Cambridge  Public  Schools. 

2.  BOXER 

During  the  past  year,  we  have  continued  the  design  and  implementation  of  Boxer, 
whose  goal  is  to  integrate  a  wide  variety  of  applications  --  text  manipulation, 
programming,  graphics,  information  retrieval  and  data  manipulation  --  within  an 
easy-to-learn  framework.  Boxer  is  motivated  by  our  conviction  that  most  non¬ 
specialist  users  of  computers  are  best  served  by  providing  a  computational 
environment  that  is  integrated  and  coherent,  in  which  all  the  basic  capabilities  can 
be  assimilated  to  a  single,  uniform  computational  scheme.  In  Boxer,  we  have  been 
trying  to  achieve  system  coherence  through  (1)  a  simple  spatial  model  representing 
all  hierarchical  organizations  of  data  and  programs,  and  (2)  a  universal  insistence 
that  all  objects  are  equivalent  to  their  screen  representation.  The  latter  provides  a 
uniform  way  of  manipulating  all  system  objects,  files,  programs,  databases,  records, 
textual  objects,  etc.  using  the  same  "extended  text”  editor. 
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3.  Romkey.  J.L.  "Reliable  Datagram  Multicast  on  the  Internet,"  S.B,  thesis, 
MIT  Department  of  Electrical  Engineering  and  Computer  Science, 
Cambridge,  MA,  expected  December  1904. 

4.  Sollins.  K.R.  "Distributed  Name  Management."  Ph.D.  dissertation,  MIT 

Department  of  Electrical  Engineering  and  Computer  Science, 

Cambridge.  MA,  expected  August  1984. 

Talks 

1.  Clark.  D.D.  "Remote  Virtual  Disk  Protocol."  Internet  Research  Group, 
January  1984. 

2.  Clark.  D.D.  "A  Case  Stu  :y:  The  Campus  Network  Plan  for  the 
Massachusetts  Institute  of  Technology,"  ACIS,  IBM,  Rockville,  MD, 
January  1984,  March  1984. 

3.  Clark.  D.D.  "Overview  of  Research  at  Massachusetts  Institute  of 

Technology,  Laboratory  lor  Computer  Science,"  Digital  Equipment 
Corporation.  Hudson.  MA,  March  1984. 

4.  Clark.  D.D.  "The  Reality  of  the  Network  Protocol  Jungle,”  MIT  Industrial 
Liaison  Program.  Cambridge,  MA.  April  1984. 

5.  Greenwald,  M.B.  "Swift:  An  Operating  System  for  a  Personal 

Computer,"  Ninth  ACM  Symposium  on  Operating  System  Principles, 
Bretton  Woods,  NH.  October  1983. 

6.  Greenwald,  M.B.  "Accessing  Secondary  Storage  Across  a  Data 

Network."  Digital  Equipment  Corporation,  Littleton.  MA,  June  1984. 

7.  Martin.  E.A.  "MIT  Gateway  Projects:  Campus  Nctwork/Project  Athena 
and  Dynamic  Routing."  Gateway  Special  Interest  Group  Meeting,  USC 
Information  Sciences  Institute,  Marina  Del  Rey,  CA,  February  1984. 

8.  Sollins.  K.R,  "Distributed  Name  Management.  Ninth  ACM  Symposium  on 
Operating  System  Principles.  Bretton  Woods.  NH,  October  1983. 

Conference  Participation 

1.  Clark.  D.D.  Panel  Session.  ACM  Sigcomm  '84,  Communications 
Architectures  and  Protocols.  Montreal,  Quebec.  Canada,  June  1984. 
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Publications 

1.  Saltzer.  J.H..  Reed.  D.P.  and  Clark,  D.D.  "End-To-End  Arguments  in 
System  Design,"  to  appear  in  ACM  Transactions  on  Computer  Systems , 
(November  1984). 

2.  Greenwald,  M.B.  "Remote  Virtual  Disk  Protocol  Specification,"  MIT 
Laboratory  for  Computer  Science  Technical  Memorandum,  Cambridge, 
MA,  to  appear  1984. 


Theses  Completed 

1.  Gobioff,  B.  "An  Investigation  of  Development  Methodologies  for 
Communications  Software,"  M.S.  thesis,  MIT  Sloan  School  of 
Management,  Cambridge,  MA,  May  1984. 

2.  Kim,  T.H.  "A  Distributed  Mail  System  Repository,”  S.B.  thesis,  MIT 
Department  of  Electrical  Engineering  and  Computer  Science, 
Cambridge,  MA,  May  1984. 

3.  Krajewski,  R.P.  "Required  Capabilities  for  a  File  Access  Protocol,"  S.B. 
thesis,  MIT  Department  of  Electrical  Engineering  and  Computer 
Science,  Cambridge,  MA,  May  1984. 

4.  Shinsato,  H.J.  "A  CLU  Interface  for  a  Bit-Mapped  Display,"  S.B.  thesis, 
MIT  Department  of  Electrical  Engineering  and  Computer  Science, 
Cambridge,  MA,  May  1984. 

5.  Skinner,  G.D.  "An  Implementation  of  an  ARPANET  FTP  Server  for 
UNIX,"  S.B.  thesis,  MIT  Department  of  Electrical  Engineering  and 
Computer  Science,  Cambridge,  MA,  May  1984. 

6.  Spurlock,  J.  "A  Comparative  Study  of  Distributed  File  Systems,"  S.B. 
thesis,  MIT  Department  of  Electrical  Engineering  and  Computer 
Science,  Cambridge.  MA,  May  1984. 

Theses  in  Progress 

1.  Siegel,  E.H.  "Dynamic  Linking  in  a  Type  Safe  Environment,"  S.B.  thesis, 
MIT  Department  of  Electrical  Engineering  and  Computer  Science, 
Cambridge,  MA,  expected  September  1984. 

2.  Gramlich,  W.C.  "Checkpoint  Debugging,"  Ph.D.  dissertation,  MIT 
Department  of  Electrical  Engineering  and  Computer  Science, 
Cambridge,  MA.  expected  September  1904. 
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retained.  Checkpoint  debugging  can  also  be  effectively  used  to  help  debug  real-time 
systems.  Checkpoint  debugging  is  also  useful  for  debugging  high  availability 
programs  (such  as  printer  servers)  where  the  system  maintainer  can  not  be  available 
for  debugging  24-hours  a  day. 
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exist  yet;  it  need  not  exist  until  execution  is  required.  A  second  aspect  of  availability 
relates  to  locking  or  checking  out  program  modules  for  modification  or 
improvement.  These  and  other  aspects  of  availability  are  still  under  study. 

A  second  issue  arising  from  the  programming  support  environment  is  that  the  set 
of  participants  is  distinct  from  the  set  of  objects  named,  unlike  the  mail  example.  In 
fact,  humans  often  use  the  set  of  participants  as  part  of  their  means  of  identifying  a 
particular  aggregate.  The  third  and  fourth  issues  are  not  directly  naming  issues, 
although  they  are  closely  related.  The  third  is  the  issue  of  how  and  when 
participants  are  notified  of  modifications  to  the  shared  context  in  cases  where 
someone  else  made  the  modifications.  The  fourth  is  the  implementation  issue  of 
how  the  updates  are  done  and  to  what  degree  distributed  copies  of  the  shared 
context  are  synchronized.  In  the  mail  system,  both  of  these  were  achieved  through 
the  mail  system  itself.  A  message  carried  both  name  and  address  of  the  sender  and 
all  recipients.  If  a  name  was  not  known  in  the  local  copy  of  the  shared  context,  it  was 
added  and  until  it  had  been  used  several  times  the  recipient  saw  both  the  name  and 
the  address.  At  such  time  that  the  name  was  accepted,  the  address  was  stripped  off 
before  displaying  the  message  to  the  recipient.  In  the  programming  support 
environment  such  facilities  for  conveying  and  displaying  information  are  not 
available.  As  the  work  progresses  these  issues  will  be  addressed  in  further  detail. 

The  current  state  of  the  dissertation  is  that  the  implementation  is  complete,  work  is 
progressing  on  a  detailed  design  for  a  programming  support  naming  facility,  and 
writing  of  the  dissertation  is  under  way. 


6.  CHECKPOINT  DEBUGGING 

Wayne  Gramlich  continued  work  on  his  thesis  in  the  area  of  debugging  distributed 
systems.  The  specific  debugging  technique  that  is  being  investigated  is  called 
checkpoint  debugging. 

The  basic  idea  is  to  regularly  take  an  atomic  snap-shot  of  the  process  state  and 
then  record  all  subsequent  process  input  until  the  next  atomic  snap-shot.  When  a 
bug  is  encountered,  the  previous  snap  shot  and  all  of  its  process  input  is  retained  for 
subsequent  analysis.  Debugging  is  performed  by  reloading  the  snap-shot  and 
replaying  the  process  input. 

Since  computers  are  deterministic  finite  state  machines,  the  sequence  of  events 
leading  up  to  the  occurrence  of  the  bug  can  be  recreated  as  many  times  as 
necessary.  A  conventional  interactive  debugger  can  bo  used  to  help  find  the  bug 
when  the  checkpoint  is  being  replayed.  For  a  distributed  computation,  all  the 
processes  in  the  computation  must  be  regularly  checkpointed.  When  a  bug  is 
encountered  in  any  of  the  processes,  the  checkpoints  for  all  processes  must  be 
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outside  the  MIT  network,  and  second,  which  neighbor  gateway  to  use  to  get  to  the 
various  MIT  subnets. 

This  IGP  should  serve  the  MITnet's  needs  for  the  next  five  years  or  so,  at  which 
point  the  amount  of  routing  information  that  must  be  processe  '  may  become  too 
cumbersome. 

4.3.  Internet  Congestion  Control 

Lixia  Zhang  began  a  study  of  network  resource  allocation  techniques  suitable  for 
the  DARPA  Internet.  The  Internet  currently  has  a  simple  technique  for  resource 
allocation,  called  "Source  Quench." 

Simple  simulations  have  shown  that  this  technique  is  not  effective,  and  this  work 
has  produced  an  alternative  which  seems  considerably  more  workable.  Simulation 
of  this  new  technique  is  now  being  performed. 

5.  DISTRIBUTED  NAME  MANAGEMENT 

Karen  Sollins  continued  work  on  her  dissertation  as  described  in  the  previous 
progress  report.  The  previous  report  addressed  a  collection  of  issues  in  naming  in  a 
distributed  environment.  The  work  this  year  included  further  work  on  a  paradigm  for 
naming  (as  described  in  that  earlier  progress  report).  To  this  end,  Sollins  has 
implemented  the  ideas  in  an  electronic  mail  system.  The  exercise  of  implementing 
has  had  both  positive  and  negative  effects.  First,  due  to  limitations  of  the 
programming  environment  and  the  resources  available,  the  model  was  simplified. 
Contexts  and  aggregates  are  available  to  the  users,  but  not  in  their  full  generality. 
For  example,  names  can  only  be  translated  to  and  from  other  strings,  which  are 
assumed  to  be  network  addresses.  On  the  other  hand,  the  implementation  did 
highlight  a  problem  that  had  not  been  previously  considered  in  detail:  the  issue  of 
proposing  new  names  and  the  stages  through  which  a  name  progresses  until  it  is 
accepted  by  the  community  of  participants  in  an  aggregate.  Further  work  on  this 
issue  continues. 

Electronic  mail  provided  a  restricted  set  of  naming  problems.  In  order  to 
investigate  naming  further,  work  is  now  progressing  on  examining  the  naming  issues 
in  a  programming  support  environment,  A  number  of  issues  arise  here  that  did  not 
arise  in  the  mail  example.  First,  there  is  the  issue  of  availability.  There  are  several 
aspects  of  availability.  One  is  whether  or  not  an  object  that  is  being  named  is 
currently  accessible  or  not  and  whether  this  is  important  for  the  activity  at  hand.  For 
example,  if  the  activity  is  compilation  and  the  interface  to  the  named  piocedure  is 
known,  perhaps  the  executable  version  of  the  procedure  residing  on  another 
computer  need  not  be  accessible.  Perhaps  the  executable  version  does  not  even 
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them  back  because  of  their  weaknesses.  Preliminary  results  indicate  positive 
results.  It  is  expected  that  these  materials  will  be  of  benefit  even  to  students  who  are 
not  classified  as  learning  disabled,  but  who  have  preferred  learning  styles  and 
special  reasoning  abilities  that  are  not  tapped  by  standard  curriculum. 

3.3.  Project  Athena 

Two  Athena  Projects  have  been  begun  by  members  of  the  Educational  Computing 
Group.  Hal  Abelson  has  initiated  the  development  of  a  course  on  linear  algebra. 
Andy  diSessa  has  starred  developing  a  course  in  computer-aided  research  and 
design.  The  latter  uses  material  in  the  standard  freshman  physics  curriculum,  but  is 
intended  to  bring  students  as  quickly  as  possible  to  the  position  where  they  can 
engage  in  original  research  and  design  problems  which  take  a  significant  fraction  of 
a  term  to  complete.  The  course  is  being  developed  in  modules  consisting  of  text 
computer  simulations  and  microworlds  that  not  only  serve  as  a  basis  for  student 
homework  problems,  but  as  a  starting  point  for  student  research  projects  as  well. 

4.  COGNITIVE  STUDIES 

In  addition  to  Weir’s  work  on  spatial  reasoning  described  briefly  above,  another 
piece  of  research  is  in  progress  by  diSessa  and  a  postdoctoral  assistant,  Tamar 
Globerson,  visiting  from  Israel.  This  project  is  aimed  at  determining  how  systematic 
and  theory-like  the  common-sense  physical  knowledge  of  children  is.  Students  from 
pre-school,  third  and  sixth  grades  have  been  presented  with  a  number  of  situations, 
including  computer  simulations,  that  all  present  basically  the  same  situation:  An 
object  is  moving  in  a  circular  path  (e.g.,  a  ball  on  a  string)  and  suddenly  the  circular 
constraint  is  broken  (e.g.,  the  string  is  cut).  What  trajectory  does  the  ball  follow? 

In  contrast  to  other  studies,  this  work  is  showing  a  very  complex  context 
dependence  in  the  answers  the  children  give,  indicating  the  non-theory-like  nature 
of  their  knowledge.  Children  will  change  their  minds  on  the  basis  of  subtle  changes 
in  the  problem,  car  be  convinced  to  accept  possibilities  they  do  not  suggest 
themselves,  and  even  change  their  minds  on  viewing  a  simulation  of  the  predictions 
they  themselves  make,  as  if  thinking  in  the  abstract  about  motion,  and  judging 
plausibility  by  watching  invoke  two  different  knowledge  pools. 

Follow-up  work  will  chart  in  detail  the  development  of  particular  intuitive  “laws"  of 
physics,  examine  the  systematicity  of  the  apparently  patchwork  collection  of  ideas 
children  have,  and  eventually  develop  computer  activities  to  engage  and  develop 
children's  physical  intuitions. 
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Publications 

1.  Abelson.  H.  Tl  Logo.  Byte  Books,  Peterborough,  NH,  1984. 

2.  Abelson,  H.  Structure  and  Interpretation  of  Computer  Programs,  (with 
G.J.  Sussman  and  J.  Sussman),  MIT  Press  and  McGraw-Hill,  Cambridge, 
MA,  1984. 

3.  diSessa,  A.  "The  Computer  as  an  Epistemological  Catalyst,"  in  Children 
and  Computers,  L.  Klein  (ed.),  Jossey  Bass,  Inc.  (in  press). 

4.  diSessa,  A.  "A  Principled  Design  for  an  Integrated  Computational 
Environment,"  Human-Computer  Interaction  (in  press). 

Theses  Completed 

1.  Harris,  R.  D.  "FloWorld:  A  Graphical  Modeling  System  for  Momentum 
Flow,"  S.B.  thesis,  MIT  Department  of  Electrical  Engineering, 
Cambridge,  MA,  June,  1984. 

2.  Hibbert,  C.  T.  "Integrated  Computing  Environments:  The  Control  of 
Complexity  in  Powerful  Systems,"  S.B.  thesis,  MIT  Department  of 
Electrical  Engineering,  Cambridge,  MA,  June  1984. 

3.  Kellison,  T.  "Two  Kinds  of  Measurement:  The  Way  Kids  Think  about 
Angles  and  Lines,"  S.B.  thesis,  MIT  Department  of  Electrical 
Engineering  and  Computer  Science,  Cambridge,  MA,  1984. 

4.  Strassmann,  S.  H.  "Learning  Lisp:  The  Barriers  to  Novice  Programmers 
at  MIT,"  S.B.  thesis,  MIT  Department  of  Electrical  Engineering, 
Cambridge,  MA,  June  1984. 


Talks 

1.  Abelson,  H.  "A  Lisp-Programmer’s  View  of  Software  Engineering," 
General  Telephone  and  Electronics  Conference  on  High-Level 
Languages,  Norwalk,  CN,  September  1983. 

2.  Abelson,  H.  "Turtle  Geometry,"  Annual  Conference  of  Computer 
Education  Group  of  Victoria,  Melbourne,  Australia,  May  1984. 

3.  Abelson,  H.  "Advanced  Programming,"  National  Logo  Conference,  MIT, 
Cambridge,  MA,  June  1984. 
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4.  diSessa.  A.  "Introducing  Computers  in  Schools  -  Logo  across  K-12,"  all 
principles  and  faculty  development  staff  of  R-1  school  district,  Jeffeison 
County,  CO,  August  2,  1983. 

5.  diSessa,  A.  "Intuitive  Physics,"  Colloquium  in  Developmental 
Psychology,  Columbia  University,  New  York,  NY,  September  25,  1983. 

6.  diSessa,  A.  "Learning  Physics  from  Dynamic  Turtles,"  and  "Boxer: 
Goals  and  Means  for  Producing  an  Integrated  Computational 
Environment,"  IEEE  Educational  Computer  Conference,  San  Jose,  CA, 
October  1983. 

7.  diSessa,  A.  "Computers  and  Learning:  New  Means  to  New  Ends," 
keynote  address  at  the  President's  Forum  on  Educational  Issues: 
Computers  and  Education,  Rutgers  University,  New  Brunswick,  NJ, 
November  4,  1983. 

8.  diSessa,  A,  "Perspectives  on  the  Future  of  Educational  Software," 
WNET  Professional  Forum  on  Educational  Applications  of  Interactive 
Technologies,  New  York,  NY,  January  12,  1984. 

9.  diSessa.  A.  "Future  Computer  Languages  for  Education,"  Swedish 
National  Board  of  Colleges  and  Universities.  Symposium  on  Computers 
in  Research  and  Education,  Cambridge,  MA,  January  25,  1984. 

10.  diSessa.  A.  "Learning  Physics  with  Logo,"  Boston  Computer  Society, 
Cambridge.  MA,  March  1984. 

11.  diSessa,  A.  "Boxer:  Designing  an  Integrated  Computational 
Environment,"  Annual  Meeting  of  the  American  Educational  Research 
Association,  New  Orleans,  LA,  April  27,  1984. 

12.  diSessa,  A.  "The  Future  of  Programming,"  National  Logo  Conference, 
MIT.  Cambridge,  MA,  June  30, 1984. 

13.  Papert,  S.  Approximately  30  talks  from  July  1983  to  July  1984. 

14.  Weir,  S.  "The  Logo  Learning  Environment:  A  Catalyst  for  the  Education 
of  Severely  Handicapped  Children,"  Annual  Statewide  Conference  on 
Microcomputers  tor  Special  Education,  Worcester  Marriott  Hotel, 
Worcester,  MA,  September  19,  1983. 

15.  Weir,  S.  "Incorporating  Microcomputers  for  Special  Needs  Children  into 


80 


EDUCATIONAL  COMPUTING 


an  Urban  School  System."  The  Lowell  Model  for  Educational  Excellence 
Study  Commission,  Lowell,  MA,  October  12,  1983. 

16.  Weir,  S.  "Computers  and  Special  Needs  Children,"  St  Paul  Day  Teacher 
Workshop.  Evening:  Lecture  to  St.  Paul  Medical  Group;  St.  Paul,  MN, 
April  1984. 

17.  Weir,  S.  "What  do  Children  Learn,"  National  Logo  Conference,  MIT, 
Cambridge,  MA,  June  28, 1984. 

18.  Weir,  S.  and  Ary.  T.  "Bridge-building  between  Logo  and  Classroom 
Math"  poster  session  Logo  84,  MIT,  Cambridge,  MA,  June  29, 1984. 

19.  Weir,  S.  segment  in  "The  Talking  Turtle,"  P.B.S.  NOVA,  October  25, 
1983. 
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1.  INTRODUCTION 

The  primary  direction  of  the  Functional  Languages  and  Architectures  Group 
continues  to  be  the  study  of  new  computer  structures  to  exploit  parallelism  in 
application  programs.  Our  approach  in  studying  parallelism  is  based  on  functional 
languages  and  dynamic  dataflow  machines.  We  believe  the  success  of  a  general- 
purpose  multiprocessor  computer  depends  on  its  effective  programmability  and 
efficient  utilization  of  resources.  Thus,  in  addition  to  the  hardware  architecture,  we 
are  concerned  with  high  level  language  support,  communicationo  requirements,  and 
efficient  distribution  of  workload  over  the  machine.  We  feel  the  development  of 
novel  parallel  architectures  will  require  several  iterations.  Hence,  the  group  is 
pursuing  a  variety  of  interrelated  projects,  all  aimed  at  developing  our  understanding 
of  the  problems  and  moving  us  closer  to  a  final  implementation.  We  have  organized 
this  report  in  two  major  sections:  The  first  describes  the  Tagged  oken  Dataflow 
Project  and  the  other  describes  the  Multiprocessor  Emulation  Facility  (MEF)  for 
experimenting  with  parallel  machines.  The  Tagged  Token  Dataflow  architecture  is 
going  to  be  the  first  large  scale  emulation  experiment  on  the  MEF. 

The  Tagged  Token  Dataflow  Project  is  a  major  effort  to  realize  the  model  of 
dataflow  computation  embodied  in  the  U-interpreter  [3]  The  architecture  continues 
to  evolve  as  our  understanding  of  the  issues  related  to  realizing  this  model  deepens. 
The  development  of  a  detailed  simulation  of  the  architecture  on  the  IBM  4341  in 
cooperation  with  IBM  Yorktown  Heights  over  the  past  year  has  provided  invaluable 
experience.  In  order  to  build  the  simulation  it  was  necessary  to  give  detailed 
specifications  of  every  major  component  of  the  architecture.  This  process 
uncovered  a  number  of  oversights  in  the  early  design.  Moreover,  in  order  to  run 
programs  on  the  simulated  machine,  it  was  necessary  to  develop  a  run  time 
resource  management  system  to  control  the  allocation  of  resources  and  distribute 
work  over  the  collection  of  processors.  This  has  considerably  sharpened  our 
attention  on  resource  management  issues  in  the  past  one  year. 

The  simulator  is  too  slow  to  be  used  as  a  vehicle  for  experimenting  with  large 
dataflow  applications.  Thus,  a  large  scale  multiprocessor  emulation  of  the  Tagged 
Token  Dataflow  Machine  is  being  developed  to  meet  this  need.  We  expect  the 
emulation  to  bring  about  a  depth  of  understanding  of  dataflow  applications  far 
beyond  the  current  state  of  the  art  Currently,  the  emulated  dataflow  machine  runs 
on  five  high-performance  Lisp  Machines  which  are  connected  by  an  Ethernet, 
programming  for  both  the  simulated  and  the  emulated  machines  is  done  in  the  high- 
level  dataflow  language  Id.  We  have  an  operational  Id-to-graph  compiler  which  is 
used  to  drive  both  prototype  dataflow  machines.  The  Id  definition  has  been  revised 
to  permit  a  more  elegant  use  of  higher-order  functions.  We  plan  to  implement  a  new 
version  of  Id  in  the  next  two  years. 
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The  goal  of  the  Multiprocessor  Emulation  Facility  is  to  develop  it  as  a  useful  tool  for 
research  on  new  parallel  architectures  and  associated  languages.  The  facility  will 
consist  of  64  Lisp  Machines  and  a  high  bandwidth  interconnection  network.  Generic 
software  for  inter- processor  communication  and  for  emulating  other  architectures  is 
also  to  be  provided.  In  the  past  year,  significant  progress  toward  these  goals  was 
made.  Two  parallel  efforts  to  design  the  communication  network  have  been  put  in 
place.  One  design  uses  circuit  switching  and  communication  on  four  bit  parallel 
data  links  while  the  other  uses  packet  switching  and  bit-serial  communication.  The 
former  is  conservative  in  the  use  of  technology  and  thus  represents  lower  risk  than 
the  latter.  A  detailed  design  for  the  circuit  switch  card,  excluding  the  Lisp  Machine 
interface,  has  been  completed. 

We  have  been  able  to  attract  significant  industrial  support  in  the  form  of  three 
circuit  designers  from  IBM  Endicott  and  one  from  Ericsson,  to  do  the  hardware 
development  for  the  emulation  facility.  However,  the  infrastructure  in  the  Laboratory 
for  Computer  Science  for  hardware  development  is  not  adequate  to  support  the 
MEF.  Thus,  a  detailed  plan  for  a  hardware  laboratory  was  prepared  and  partially 
executed.  Further  construction  in  the  hardware  laboratory  is  contingent  upon 
receiving  more  research  funds  which  are  believed  to  be  available  during  the  coming 
year. 

2.  TAGGED  TOKEN  DATAFLOW  PROJECT 
2.1.  Architectural  Background 

The  Tagged  Token  Dataflow  Architecture  is  composed  of  a  number  of  Processing 
Elements  (PEs),  connected  by  a  packet  switched  communications  network.  Each  PE 
is  a  complete  dataflow  computer.  The  basic  organization  is  shown  in  Figure  7-1. 
The  PE  consists  of  a  number  of  asynchronous  pipeline  stages,  connected  by  FIFO 
buffers.  The  various  stages  form  three  subsystems.  The  subsystem  shown  toward 
the  right  in  Figure  7-1,  performs  the  basic  instruction  processing.  The  stages  of  this 
pipeline  reflect  the  essential  steps  in  the  processing  of  a  dataflow  instruction:  detect 
when  data  has  arrived  to  enable  an  instruction,  fetch  the  instruction,  compute  the 
result,  generate  result  tags,  and  finally  dispense  the  result  tokens.  The  subsystem  to 
the  left  provides  storage  for  data  structures.  This  structure  store  incorporates  a 
number  of  innovative  ideas  to  allow  for  sharing  of  information  without  constraining 
parallelism.  The  benefits  of  this  approach  are  presented  in  [4]  A  detailed  design  of 
the  controller  for  the  structure  store  is  presented  in  [9].  The  center  subsystem 
includes  a  PE  controller,  which  provides  a  variety  of  support  operations,  including 
input/output,  block  transfers,  and  access  to  the  resource  management  system. 

Tokens  and  Tags:  In  the  Tagged  Token  Dataflow  Architecture,  values  are  carried 
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Figu re  7- 1 :  A  Block  Diagram  of  the  Abstract  Machine 
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on  tokens,  which  are  passed  from  one  instruction  to  the  next.  The  arrival  of  data 
causes  the  corresponding  instruction  to  be  fetched,  unlike  a  conventional  computer 
in  which  the  execution  of  an  instruction  causes  data  to  be  fetched.  There  is  no 
program  counter  in  this  machine.  Each  token  carries  a  tag,  in  addition  to  a  data 
value,  which  specifies  the  instruction  to  be  executed.  The  tag  contains  essentially 
three  items  of  information:  the  address  of  the  PE  which  is  responsible  for  executing 
the  instruction,  the  address  of  the  instruction  to  execute  within  that  PE,  and  the 
context  in  which  the  instruction  is  to  be  executed.  The  PE  address  is  required 
because  a  code-block  may  be  spread  over  many  PEs,  and  tokens  must  be  freely 
transferred  between  PEs.  The  contextual  information  is  required  because  many 
logically  distinct  activations  of  a  given  code-block  may  be  in  execution 
simultaneously.  There  must  be  a  way  to  distinguish  the  various  activations  so  that 
tokens  belonging  to  different  activations  do  not  interact.  All  tokens  belonging  to  a 
given  activation  carry  the  same  context  identifier  or  color.  Thus,  two  tokens  are 
destined  for  the  same  instance  of  an  instruction  if  and  only  if  their  tags  match. 

Instruction  Processing:  Upon  arriving  at  a  processing  element,  a  token  enters 
the  waiting-matching  section.  The  tag  it  carries  is  compared  against  the  tags  of  all 
the  tokens  resident  in  the  waiting-matching  store.  Instructions  are  limited  to  two 
operands,  so  if  a  match  is  found,  the  corresponding  instruction  is  enabled  for 
execution.  The  two  matching  tokens  are  purged  from  the  wailing-matching  store 
and  forwarded  to  the  instruction  fetch  section.  The  instruction  specified  in  the  tag  is 
fetched  from  program  memory,  along  with  any  required  constants.  The  data  values 
are  aligned,  and  an  operation  packet  is  sent  to  the  ALU  for  processing.  In  parallel 
with  the  ALU,  the  compute-tag  section  forms  tags  for  result  tokens,  based  on  the 
destination  list  of  the  instruction  and  contextual  information  on  the  input  tag.  The 
result  values  and  tags  are  merged  to  form  tokens  and  passed  on  to  the 
communication  network,  whereupon  each  is  delivered  to  the  PE  specified  in  its  tag. 

Tolerance  to  Communication  Latency:  In  many  respects,  a  multiprocessor 
setting  presents  a  fundamental  architectural  challenge.  Communication  latency 
between  processors  is  generally  large  and  unpredictable.  Thus,  for  a  multiprocessor 
architecture  to  be  successful,  the  individual  processing  elements  must  be  extremely 
tolerant  to  communication  latency  [4],  The  PEs  which  comprise  the  Tagged  Token 
Dataflow  Architecture  meet  this  challenge.  Note  that  once  an  instruction  is  enabled, 
it  may  be  processed  to  completion  without  further  communication  with  other  PEs. 
The  pipeline  is  never  held  up  by  communication  latency.  Waiting  only  takes  place  in 
the  waiting-matching  section.  Completion  detection  for  external  communication  is 
provided  naturally  by  the  basic  instruction  scheduling  mechanism;  when  data  arrives 
an  instruction  is  scheduled.  This  dynamic  scheduling,  coupled  with  the  ability  to 
interlace  many  independent  threads  of  computation,  allows  for  overlapped  requests 
to  the  communication  system,  tolerates  long  latencies,  and  tolerates  unordered 
responses. 
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2.2.  Resource  Management 

The  description  of  the  architecture  presented  above  assumes  that  the  program 
graph  is  in  place,  distributed  appropriately  over  the  machine.  This  section  looks  at 
the  process  of  executing  programs  on  the  Tagged  Token  Dataflow  Architecture  at  a 
somewhat  higher  level.  It  focuses  on  how  resources  are  managed  and  how  work  is 
distributed  over  the  machine. 

Static  vs.  Dynamic  Resource  Allocation:  There  are  basically  two  approaches 
to  resource  allocation,  each  ottering  advantages  and  disadvantages.  On  one 
extreme  is  the  static  approach  where  the  compiler  assigns  processors  and  storage 
to  a  program.  This  is  a  common  strategy  for  scientific  programs  written  in  Fortran.  If 
the  decomposition  is  just  right,  the  performance  can  be  extremely  good,  with  little 
overhead  for  the  distribution  of  work  at  run  time.  However,  developing  a  good  static 
decomposition  appears  to  be  a  very  difficult  problem.  In  any  case,  functional 
languages  require  dynamic  resource  allocation  and  thus  preclude  a  purely  static 
approach.  A  purely  dynamic  approach,  on  the  other  hand,  implies  allocating  each 
computational  activity  on  the  least  busy  processor.  Dynamic  allocation  on  the 
Tagged  Token  machine  is  undertaken  only  at  the  level  of  procedure  calls,  (i.e.,  code¬ 
block  invocation),  each  of  which  is  assigned  to  a  group  of  PEs  at  run-time.  David 
Culler  has  developed  a  dynamic  resource  management  system  for  the  simulation 
along  these  lines.  This  resource  management  system  has  also  been  adopted  for  the 
emulated  dataflow  machine.  We  are  currently  experimenting  with  various  allocation 
algorithms  and  load  balancing  techniques.  The  present  architecture  provides  an 
efficient  and  flexible  way  to  map  loops  and  recursive  procedures  on  a  group  of 
processors.  As  static  analysis  techniques  develop,  we  will  consider  more  aggressive 
optimizations  for  mapping  special  program  structures. 

Hierarchy  of  Resources:  A  variety  of  resources  are  required  to  support  a  code¬ 
block  activation.  These  include  PEs,  program  memory,  code-block  registers,  colors, 
etc.  Coordinating  resource  allocations  between  a  variety  of  PEs  can  be  extremely 
cumbersome,  if  PEs  are  allowed  to  cooperate  in  arbitrary  ways.  In  order  to  keep  the 
complexity  of  resource  management  tractable,  a  hierarchy  is  imposed  on  the  set  of 
system  resources.  In  effect,  the  resource  manager  deals  with  blocks  of  resources 
and  allows  the  hardware  to  distribute  them  at  a  finer  grain  automatically.  This  also 
allows  the  number  of  requests  to  the  manager  to  be  reduced. 

The  notions  of  phys/ca •'  domain  and  physical  subdomain  are  introduced  to 
facilitate  selecting  a  set  of  PEs  for  an  invocation  The  collection  of  PEs  in  the  system 
is  divided  into  disjoint  physical  -.amjins  (PD),  each  being  a  set  of  consecutively 
addressed  PEs.  This  partition  is  no!  allowed  to  change  while  programs  are  running. 
Each  PD  may  be  further  narhsoneu  mtr  a  r«t  of  dis  nt  physical  subdomains  (PSD), 
again  each  is  a  set  of  contiguously  address  PEs  The  size  of  the  PSD  is  dynamic  and 
will  vary  for  different  code  blocks  in  a  given  PD  A  code  block  activation  is  assigned 
to  a  domain,  and  a  complete  copy  of  the  code  is  placed  in  each  subdomain. 


89 


FUNCTIONAL  LANGUAGES  AND  ARCHITECTURES 


To  simplify  memory  management,  we  require  that  memory  allocation  be  identical  in 
every  PE  in  a  given  domain.  The  code-block  is  split  into  as  many  sub  blocks  as  there 
are  PEs  in  a  subdomain.  Each  PE  receives  one  sub-block,  all  starting  at  the  same 
base  address.  This  allocation  is  replicated  for  each  subdomain  in  the  domain.  For 
computational  efficiency  we  require  that  all  PD  and  PSD  be  a  power  of  two  in  size. 

Each  copy  of  the  code-block  may  be  used  by  many  concurrent  activations  and 
each  of  these  may  require  mapping  information  to  be  stored  locally  to  the  PEs,  so 
that  result  tags  can  be  generated.  Again,  by  grouping  activations  together  this 
mapping  information  can  be  kept  within  reason.  Each  PE  contains  a  set  of  256 
code-block  registers  (CBR).  Each  code-block  register  contains  a  code-base  address 
and  information  pertaining  to  the  mapping  of  the  code-block  onto  the  domain.  Each 
code-block  register  can  support  16  colors ;  additional  information  can  be  associated 
with  each  color.  Code-block  registers,  like  program  memory,  are  allocated  uniformly 
throughout  each  domain.  With  this  partitioning,  the  manager  views  the  system 
resources  in  terms  of  domains,  code-block  registers,  and  colors. 

To  understand  the  role  of  the  manager,  consider  the  process  of  code-block 
activation.  A  request  is  sent  to  the  resource  manager.  It  first  selects  a  domain  with 
sufficient  resources  to  support  the  activation.  If  the  code-block  is  not  present  in  this 
domain,  it  will  have  to  be  loaded.  In  this  case,  the  subdomain  size  may  be  set  as 
suggested  by  the  compiler,  or  as  determined  by  the  resource  manager.  A  code¬ 
block  register  must  be  allocated,  and  a  set  of  colors,  relative  to  this  CBR,  is  assigned 
to  this  activation.  Finally,  program  memory  is  allocated  throughout  the  domain  and 
the  code  is  loaded.  Mapping  information  is  established  in  each  PE  to  describe  the 
disposition  of  the  code-block,  as  part  of  the  CBR.  Further  information  pertaining  to 
each  color  can  also  be  provided.  The  code-block  is  now  ready  to  execute.  The 
manager  allocates  argument  and  result  structures  and  sends  descriptors  to  both  the 
caller  and  the  newly  activated  code-block.  The  code-block  may  now  execute  on  its 
own  except  for  invocation  and  resource  allocation  requests.  Subsequent 
invocations  of  the  same  code-block  may  share  the  CBR,  if  colors  are  available.  If 
not,  a  new  CBR  must  be  allocated,  but  it  may  share  the  copy  of  the  code.  In  either 
case  the  mapping  parameters  will  have  to  be  the  same  as  the  original,  since  the  code 
has  the  same  disposition.  New  color  information  may  be  provided. 

These  resource  management  concerns  essentially  dictate  the  structure  of  the  tag 
carried  on  tokens.  It  consists  of  five  fixed  size  fields  <PE  #  ,  CBR,  Color,  Initiation  #, 
Relative  Instruction  Address).  The  code-block  register  gives  the  base  address  of  the 
code  and  the  base  address  of  the  color  information.  This  allows  instructions  and 
constants  to  be  fetched  from  program  memory.  The  CBR  also  describes  the 
disposition  of  the  code-block  across  the  domain,  so  the  hardware  can  generate  tags 
for  result  tokens. 
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Efficient  Internal  Invocation:  The  resource  manager  provides  a  mechanism  for 
initiating  activity  in  a  possibly  distant  region  of  the  machine.  However,  in  many  cases 
this  generality  is  not  required  and  is  overly  expensive.  In  order  to  allow  highly 
repetitive  program  structures  to  execute  without  involving  the  resource  manager, 
256  initiation  numbers  are  associated  with  each  color.  Loops  and  recursive 
procedures  make  use  of  the  initiation  numbers  to  distinguish  tokens  belonging  to 
different  iterations,  or  different  recursive  invocations.  A  code- block  activation  is 
allotted  a  color  and  has  the  range  of  initiation  numbers  at  its  disposal.  Loops  utilize 
the  D  operator,  which  increments  the  initiation  number.  Recursive  procedures  make 
use  of  the  R  operator,  which  computes  a  new  initiation  number  of  the  form  A  •  i  +  B. 
Many  loops  may  exceed  256  iterations,  hence  facilities  are  provided  for  allocating 
blocks  of  colors  and  for  using  the  next  color  in  the  case  of  initiation  number 
overflow  The  compiler  generates  code  to  test  whether  all  colors  and  initiation 
numbers  have  been  exhausted  and  to  issue  a  manager  request  for  more  colors  if 
necessary. 

The  hardware  provides  a  mechanism  to  distribute  internal  activations  over 
processors  efficiently.  This  is  the  rationale  for  partitioning  domains  into 
subdomains.  Recall,  each  subdomain  contains  a  complete  copy  of  the  code.  The 
hardware  distributes  activations  within  a  domain  based  on  the  initiation  number.  An 
additional  parameter  is  provided  to  support  block  distribution  (i.e.,  k  iterations  on 
this  PSD,  k  on  the  next,  and  so  on).  This  follows  along  the  lines  discussed  in  Arvind, 
et  al.  [2). 

The  results  of  static  analysis  are  expected  to  guide  the  resource  manager  in 
making  allocations.  In  particular,  it  enters  into  the  process  of  choosing  among 
domains,  choosing  subdomain  size,  choosing  k  (the  number  of  iterations  to  keep 
together),  and  for  deciding  where  to  allocate  data  structures.  Conveying  this 
information  is  somewhat  subtle,  however.  Completely  static  information,  such  as 
nesting  relationships,  can  be  included  in  the  compiler  output  along  with  the  code. 
Execution  dependent  information  is  supplied  by  augmenting  the  graph  slightly  and 
sending  information  along  with  the  request.  Currently,  only  simple  information  is 
conveyed  in  this  way,  such  as  the  expected  number  of  iterations.  But  we  are 
investigating  more  powerful  aids  of  this  form. 

Compiler  Responsibilities:  Introducing  a  resource  management  system  into  a 
dataflow  model  raised  a  number  of  interesting  compilation  issues.  The  U-interpreter 
is  entirely  independent  of  resources;  it  assumes  unbounded  computational 
resources.  In  order  to  execute  dataflow  programs  on  a  practical  machine,  resources 
must  be  explicitly  requested.  They  must  also  be  released  in  some  manner.  The 
basic  dataflow  graphs  must  be  augmented  so  that  the  resource  manager  request  is 
generated  when  resources  are  required.  Also,  the  compiler  must  generate  code  to 
make  proper  use  of  blocks  of  resources.  For  example,  to  use  initiation  numbers 
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properly,  it  is  necessary  to  handle  overflows.  The  compiler  must  generate  code  to 
determine  when  resources  can  be  released.  This  involves  detecting  completion  of 
code  block  activations  and  proper  handling  of  reference  counts  for  structures. 

Detecting  comoietion  is  non  trivial  in  a  dataflow  system  because  a  code-hlock  may 
continue  to  execute  after  all  interesting  results  have  been  produced.  Many  iterations 
of  a  loop  may  be  active  simultaneously,  so  the  compiler  must  detect  that  all  have 
completed.  For  acyclic  graphs  there  is  little  trouble.  A  signal  token  is  generated  for 
any  operators  which  have  no  destinations.  These  and  all  the  output  arcs  of  the 
graph  form  the  inputs  to  a  binary  reduction  tree.  The  token  that  falls  out  the  bottom 
of  the  tree  is  the  last  token  of  the  activation.  This  technique  can  be  extended  to 
loops,  but  care  must  be  taken  to  avoid  serializing  loops  that  would  otherwise  provide 
parallelism.  The  special  signal  token  of  one  iteration  is  part  of  the  completion  tree 
for  the  next.  In  effect  completion  detection  is  serial,  even  though  the  loop  may  be 
parallel.  The  detection  simply  lags  behind  the  loop  execution. 

One  important  implication  of  this  incremental  completion  detection  is  that  it  makes 
it  possible  to  run  loops  of  an  arbitrary  number  of  iterations  using  only  a  few  colors. 
The  loop  is  given  multiple  colors.  As  it  exhausts  one  color  it  goes  on  to  the  next  or 
requests  more.  The  completion  follows  behind  detecting  and  releasing  colors  that 
are  no  longer  needed  and,  hence  may  be  recycled. 

The  compiler  must  also  assist  in  the  detection  of  parallelism  in  the  construction  of 
data  structures.  When  certain  restrictions  apply,  arrays  can  be  modeled  as  I- 
structures  which  allows  for  a  more  parallel  implementation  than  for  ordinary 
structures.  Detecting  those  arrays  which  can  be  implemented  as  l-structures  is 
difficult  in  general:  it  involves  analysis  similar  to  that  done  by  vectorizing  compilers 
during  code  vectorization.  There  are.  however,  several  important  special  cases 
where  l-structures  can  be  detected  easily.  We  have  also  found  several  situations  in 
which  the  techniques  of  vectorizing  compilers  can  be  borrowed  and  applied.  The 
compiler  generates  instructions  for  the  run  time  system  to  allocate  l-structure 
storage.  For  storage  reclamation,  reference  counting  can  be  implemented  because 
l-structures  are  acyclic.  The  overhead  of  maintaining  reference  counts  can  be 
substantially  reduced  if,  with  compiler  assistance,  they  are  incremented  and 
decremented  at  procedure  call  and  exit  only. 

2.3.  Simulation  Experiments 

The  primary  purpose  of  the  simulation  fr  -’«ty  is  to  provide  a  prototype  and  test  bed 
for  the  Tagged  Token  Dataflow  Architecture  i  no  basic  requirement  in  designing  the 
simulator  was  that  all  aspects  of  the  architecture  be  modeled  in  a  manner  that  could 
be  cast  directly  into  hardware.  Deficiencies  in  the  architecture  were  to  be  exposed 
and  remedied,  rather  than  disguised  by  software  tricks  Working  through  the 
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implementation  of  the  machine  in  tnis  manner  did  indeed  uncover  shortcomings  and 
caused  the  specification  of  the  architecture  to  become  muon  more  precise.  The 
architecture  is  basically  an  asynenronous  pipeline,  with  stages  connected  via  finite 
sized  buffers.  This  moauiarity  is  reflected  in  the  design  of  the  simulator;  the 
functional  behavior  of  eacn  stage  is  modeled  by  a  Pascal  procedure  which  receives 
an  input  packet  and  the  state  of  a  station  and  produces  a  list  of  result  packets  with  a 
new  state.  Thus,  the  specifications  of  the  major  hardware  components  are  easily 
discernible  from  the  simulator  software.  Also,  the  modeling  of  buffer  interactions  is 
divorced  from  the  modeling  of  the  functional  behavior  of  the  components.  This 
design  has  greatly  simplified  the  check  out  task  and  allows  the  architectural 
specifications  to  be  easily  modified. 

The  first  requirement  of  this  'soft'  prototype  is  that  it  support  all  operations  defined 
in  the  instruction  set  [1]  and  provide  enough  resource  management  support  to  run 
substantial  Id  programs.  This  requirement  has  been  met.  Most  of  the  code  has  been 
written  by  Culler.  Brobst.  Vafa  and  Wei.  In  the  coming  months,  the  simulator  will 
provide  a  vehicle  for  analyzing  the  architecture.  The  initial  set  of  experiments  are 
directed  at  identifying  potential  architectural  failures:  buffer  deadlock,  insufficient 
waiting  matching  facilities,  and  inordinate  overhead.  A  larger  body  of  experiments 
will  focus  on  determining  the  proper  balance  of  various  components  (e.g.,  buffer 
sizes  and  processing  speeds)  and  how  various  factors  affect  the  performance  of  the 
machine. 

The  simulation  facility  has  provided  valuable  experience  in  programming, 
debugging,  and  diagnosis  in  a  multiprocessor  setting.  The  simulator  pursues  many 
computations  in  parallel.  Thus,  debugging  a  progiam  being  run  on  the  simulator 
involves  all  the  subtleties  of  debugging  on  a  true  multiprocessor:  what  does  a 
breakpoint  mean?  what  would  be  a  meaningful  trace?  etc.  We  have  developed  a 
debugging  tool  which  will  allow  the  user  to  examine  the  invocation  tree  (i.e.,  the 
parallel  counterpart  to  a  conventional  procedure  trace)  and  to  observe  the  execution 
of  a  specific  code-block  at  the  instruction  level.  Debugging  the  simulator  itself  has 
proved  much  like  diagnosing  hardware:  bugs  have  to  be  isolated  by  running 
diagnostic  programs  on  the  simulator  and  inferring  from  their  misbehavior.  We  are 
developing  a  significant  diagnostic  package  which  will  carry  over  to  hardware 
implementations  of  the  Tagged  Token  Dataflow  Architecture. 


2.4.  Emulation  Experiments 

As  a  further  proving  ground  for  the  Tagged  Token  Dataflow  Architecture  on  large 
applications,  we  are  developing  a  high  speed  emulation  of  the  architecture  on  the 
MEF.  The  first  version  of  the  software  for  this  emulator  has  been  completed, 
allowing  us  to  run  graphs  generated  by  the  Id  compiler.  The  emulated  dataflow 
machine  can  be  configured  to  run  several  dataflow  PEs  on  each  Lisp  Machine  which 
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communicates  with  other  Lisp  Machines  over  a  ten  megabit  Ethernet.  Higher-speed 
networks  are  currently  under  development  and  the  software  is  structured  so  as  to 
allow  machines  to  easily  integrate  with  such  networks  when  they  become  available. 

Currently,  enhancements  to  support  debugging  in  an  asynchronous  environment 
and  a  user  interface  consistent  with  the  simulator  are  being  developed.  The 
performance  of  the  Lisp  version  of  the  emulator  is  roughly  200  dataflow  instructions 
per  second  on  a  single  Lisp  Machine.  If  scaled  up  to  64  processors,  this  would  be 
approximately  13,000  dataflow  instructions  per  second.  However,  we  have  not  yet 
begun  optimizing  performance  by  finding  bottlenecks  in  the  Lisp  code  or  moving 
critical  pieces  of  the  Lisp  code  into  micro  code,  so  we  are  confident  that  we  can 
obtain  our  ultimate  performance  goal  of  64,000  to  640,000  dataflow  instructions  per 
second  after  some  fine  tuning.  These  issues  are  discussed  further  in  Section  3. 

2.5.  Compiler  Development 

Two  compilers  for  the  dataflow  language  Id  have  been  developed.  One  of  them 
translates  Id  into  Maclisp,  and  provides  a  complete  run-time  system  to  execute  the 
object  code;  the  other  one  translates  Id  into  dataflow  graphs  where  each  node  in  the 
graph  is  a  Tagged  Token  Dataflow  Machine  instruction.  The  Id  to-graph  compiler  is 
also  responsible  for  generating  instructions  that  ask  for  allocations  and  deallocation 
of  resources.  Both  compilers  are  written  in  Maclisp,  and  run  on  DEC-20  as  well  as 
on  Lisp  Machines.  The  first  compiler  was  written  by  Kathail  and  Pingali,  while  the 
second  one  was  written  by  Kathail  alone.  Work,  in  cooperation  with  IBM  Yorktown 
Heights,  is  underway  to  run  these  compilers  on  IBM  machines  using  YKTLISP. 

Further  work  on  compilers  can  be  classified  into  the  following  three  categories: 

1)  Develop  and  implement  algorithms  for  the  Id-tograph  compiler  for  doing 
static  analysis  of  the  programs  to  acquire  information  that  may  be  useful 
to  the  system  manager.  This  includes  finding  producer-consumer 
relationship  among  code-blocks  and  finding  sizes  of  various  data 
structures  to  name  a  few. 

2)  Develop  and  implement  optimization  techniques  to  improve  the 
efficiency  of  the  code  generated  by  the  Id  to-graph  compiler.  This 
includes  optimizations  like  constant  subexpression  elimination,  code¬ 
block  merging  to  eliminate  the  setup  time  associated  with  a  procedure 
call,  as  well  as  reduce  the  number  of  calls  to  the  manager  and  constant 
propagation. 

3)  Incorporate  streams,  managers,  and  a  declarative  or  deductive  typing 
system  in  both  compilers. 
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2.6.  Higher-order  Functions  and  Reduction 

It  has  often  been  remarked  that  much  of  the  power  and  elegance  of  functional 
languages  stems  from  higher-order  functions  i.e.,  functions  that  can  take  functions 
as  arguments  or  return  functions  as  the  result  of  application.  The  use  of  higher-order 
functions  has  been  stressed  by  researchers  interested  in  reduction  and  reduction 
languages;  in  particular,  by  Turner  [17],  Backus  [6]  and  Burge  [8]  As  part  of  our 
design  effort,  Arvind,  Kathail  and  Pingali  [5]  re-examined  the  primitives  provided  in  Id 
for  programming  with  higher-order  functions  and  found  them  deficient  in  several 
respects.  In  particular,  we  were  dissatisfied  with  the  compose  operator  of  Id  since 
we  found  that  it  was  clumsy  to  use  and  led  to  contorted  programs.  Our  research  into 
languages  based  on  the  reduction  (in  particular,  SASL  [16]  model  of  implementation 
has  led  us  to  revise  Id  in  order  to  permit  efficient  implementation  and  ease  of  use  of 
higher  order  functions.  In  addition,  this  research  has  lead  one  of  our  group 
members.  Kenneth  Traub,  to  design  a  novel  architecture  for  performing  parallel 
reduction  [15]  The  proposed  architecture  has  several  advantages  over  current 
proposals  in  the  literature  for  performing  parallel  reduction. 

Given  an  expression  in  a  functional  language,  reduction  interpreters  attempt  to 
simplify  the  expression  by  applying  a  "rewrite  rule"  to  generate  another  expression 
which  can  be  simplified  in  turn.  By  doing  this  repeatedly,  the  interpreter  generates  a 
sequence  of  expressions;  if,  at  some  point,  an  expression  is  generated  which  cannot 
be  simplified  further,  the  interpreter  returns  that  expression  as  the  answer. 
Expressions  that  cannot  be  simplified  further  are  called  normal  forms  and  the 
number  of  reduction  steps  taken  by  an  interpreter  to  produce  the  normal  form  of  an 
expression  is  usually  taken  be  be  a  measure  of  the  work  performed  by  the  interpreter 
in  reducing  the  expression.  Examples  of  reduction-based  interpreters  are  the 
normal  order  and  applicative  order  interpreters  for  the  A-calculus. 

Since  most  functional  languages  can  be  considered  syntactic  sugar  for  the 
A-calculus,  our  research  concentrated  on  interpreters  for  the  A-calculus.  Our  goal 
was  to  determine  the  factors  which  affected  the  number  of  times  identical  sub¬ 
expressions  were  evaluated.  We  believed  intuitively  that  if  an  interpreter  shared 
larger  sub  expressions,  it  would  take  fewer  steps  to  find  the  normal  form.  To  our 
surprise,  we  found  that  this  was  not  always  true.  We  have  shown  in  [5]  that 
Wadsworth’s  fully  lazy  interpreter  [18]  shares  more  sub  expressions  than  Henderson 
and  Morris’  lazy  interpreter  [10]  at  each  reduction  step.  Furthermore,  we  have  given 
a  A-calculus  expression  for  which  the  fully  lazy  interpreter  takes  more  steps  than  the 
lazy  interpreter.  This  led  us  to  define  the  notion  of  weak  normal  forms  for  which  it  is 
in  fact  true  that  an  interpreter  that  does  more  sharing  takes  fewer  steps  to  find  the 
answer.  The  importance  of  weak  normal  forms  is  that  practical  interpreters  return 
weak  normal  forms  as  answers.  We  then  showed  that  it  is  possible  to  transform  any 
expression  so  that  a  lazy  interpreter  reducing  the  transformed  expression  would 


95 


FUNCTIONAL  LANGUAGES  AND  ARCHITECTURES 


share  the  same  sub  computations  as  a  fully  lazy  interpreter  reducing  the  original 
expression.  Finally,  the  effect  of  representing  A  expressions  as  combinatory  forms 
was  explored.  It  was  found  that  sharing  was  affected  not  by  the  alternative 
representation  itself  but  by  the  abstraction  algorithm  used  to  transform  the 
A-expression  into  the  combinatory  form. 

3.  THE  MULTIPROCESSOR  EMULATION  FACILITY 

3.1 .  The  Emulator  as  a  Prerequisite  to  the  Dataflow  Machine 

The  Tagged  Token  Dataflow  Machine  and  associated  programming  environment 
represent  a  radical  departure  from  both  the  hardware  and  software  for  parallel 
processing  based  on  von  Neumann  processors  communicating  via  shared  memory. 
A  real  challenge  in  building  the  first  Tagged  Token  Dataflow  Machine  is  to  solve  two 
highly  interrelated  problems.  Firstly,  there  are  few  large  dataflow  programs  whose 
dynamic  behavior  is  well  understood;  estimates  of  dynamic  behavior  must  be  based 
exclusively  on  the  analysis  of  the  source  code  expressed  in  dataflow  languages 
because  of  a  lack  of  facilities  for  executing  these  programs.  This  method  of  gaining 
insights  into  the  behavior  of  dataflow  programs  can  be  applied  to  a  very  limited 
number  of  application  programs  because  it  requires  close  cooperation  of  dataflow 
and  application  experts.  Application  experts  have  little  motivation  to  spend  time  to 
understand  the  behavior  of  their  applications  on  "hypothetical  computers". 
Secondly,  the  architecture  of  the  Tagged  Token  machine  is  so  different  from 
conventional  processors  that  it  is  difficult  to  estimate  some  architectural  parameters 
(e.g..  size  of  buffers)  whose  effect  on  the  overall  performance  of  the  machine  may  be 
critical,  without  some  concrete  assumptions  about  the  dynamic  behavior  of 
programs.  One  way  we  are  trying  to  resolve  this  paradoxical  situation  is  by 
implementing  the  Tagged  Token  Dataflow  Machine  on  a  multiprocessor  emulation 
facility. 

3.2.  The  Emulator  as  an  Interesting  Parallel  Processor 

In  addition  to  providing  a  highly  productive  vehicle  for  the  direct  emulation  of  large 
scale  dataflow  programs,  the  Emulator  is  an  interesting  and  innovative 
multiprocessor  in  its  own  right.  It  is  the  first  MIMD  machine  which  can  suppoit 
general,  distributed,  asynchronous  processes  that  require  relatively  large  amounts 
of  interprocess  communication  and  can  do  so  much  moic  rapidly  and  be  more  cost- 
effective  than  the  equivalent  simulation  on  a  single  very  large  SISD  machine.  This 
unique  characteristic  is  a  result  of  two  fundamental  design  decisions. 

First,  the  Lisp  workstations  being  used  to  build  the  facility  are  themselves  powerful 
machines  with  sophisticated  programming  environments.  The  power  lies  in  the 
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supermini  class  internal  architecture  of  a  high-performance  micro-engine,  wide  data 
paths,  and  a  high-speed  memory  subsystem.  The  machine  also  has  an  I/O  structure 
capable  of  supporting  a  high-performance  interprocessor  communication 
mechanism.  The  associated  Lisp  system  provides  a  good  environment  for  the 
development  of  cooperating  asynchronous  processes,  and  thus  also  a  good  vehicle 
for  architectural  exploration,  assuming  that  each  processing  element  (or  each  of  its 
subsystems)  is  viewed  as  a  process. 

Second,  the  interprocessor  communication  networks  provide  an  instrumented, 
flexible,  and  inherently  fault-tolerant  data  transport  mechanism  that  is  well-matched 
to  the  processor's  throughput.  The  network  is  easily  reconfigured  and  allows 
evaluation  of  a  variety  of  communication  strategies  including  perfect  n-cube,  planar, 
token  ring(s).  and  shuffle  exchanges.  This  permits  empirical  exploration  of  the 
effects  of  interconnect  topology  and  bandwidth  on  the  overall  machine  performance. 
The  communication  controller  design  is  matched  to  the  high-performance  of  the 
Lisp  Machine.  It  provides  its  own  horizontal  microcontrollers  to  permit  transmission 
and  reception  of  messages  concurrently  with  the  normal  program  execution.  Each 
switch  node  supports  an  aggressive  instrumentation,  test,  and  maintenance 
subsystem  as  well  as  managing  the  routing  tables  for  the  currently  supported 
network  topologies. 

In  a  sense,  these  two  features  are  not  new  -  at  least  when  taken  independently.  It 
is  precisely  the  fact  that  mature,  high-performance  von  Neumann  machines  like  the 
Lisp  Machine  and  the  theory  of  n-dimensional  packet  switching  exist  that  reduces 
the  risk,  and  thus  the  time  to  completion,  of  the  Emulator.  What  makes  this 
interesting  is  that  this  level  of  power,  a  necessary  level  to  run  meaningful  programs, 
has  never  been  assembled  in  such  a  flexible  and  balanced  fashion.  Previous 
implementations  have  either  lacked  processor  performance,  productive 
programming  environments  or,  the  common  problem,  a  well-matched 
communication  system  that  does  not  impose  excessive  processor  overhead. 
Compromises  in  design  either  due  to  cost  or  narrow  intent  haven  taken  their  toll. 
This  really  marks  the  first  time  that  a  parallel  machine  can  directly  execute  and 
instrument  a  reasonably  broad  class  of  distributed  programs  significantly  faster  than 
an  equivalent  simulation  on  the  largest  uniprocessor  systems. 

3.3.  Hardware  Development 

We  view  the  Emulator  as  being  an  evolutionary  step  toward  our  goal  of  building  a 
VLSI  Tagged  Token  Dataflow  processor.  It  will  allow  us  to  properly  study  this 
radically  different  architecture  without  the  usual  constraints  and  commitment  of 
resources  that  are  required  for  a  typical  ftardware  project.  Also,  the  component  of 
the  Emulator  which  is  being  invented,  namely  the  communications  network,  is 
crucial  to  the  realization  of  a  Tagged  Token  Dataflow  Machine.  The  network  is  being 
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designed  in  three  phases,  all  oriented  toward  developing  VLSI  for  packet 
communication  over  high  speed  serial  point  to  point  circuits.  The  circuit  switch  is 
the  first  phase,  while  the  packet  switch  and  its  VLSI  version  are  the  final  two  phases. 

The  Circuit  Switch:  In  an  effort  to  get  a  network  operational,  we  decided  to 
adapt  the  network  used  by  Bolt,  Beranek,  and  Newman  in  their  Butterfly 
multiprocessor  [14],  The  switching  node  in  this  network  is  a  4x4  crossbar  with  4  bit 
wide  data  paths.  These  nodes  are  interconnected  and  centrally  clocked  to  form  a 
synchronous  network  of  arbitrary  topology.  Messages  traversing  the  network  carry 
an  encoding  of  the  network  path  they  are  to  take.  The  adaptation  of  the  BBN  design 
required  re  engineering  the  switch  so  that  the  network  will  be  built  solely  out  of 
cards  plugged  directly  into  the  backplanes  of  our  Lisp  Machines.  As  a 
consequence,  the  design  had  to  allow  for  longer  inter-switch  cables.  More 
importantly,  we  are  designing  the  necessary  buffering  and  control  logic  so  that  the 
network  presents  as  little  processing  load  on  the  associated  processors  as  possible. 
Greg  Papadopoulos  and  Eric  Hagersten  have  been  doing  this  design. 

We  believe  there  is  a  high  probability  that  a  system  based  on  the  circuit  switch  will 
be  operational  within  a  year,  as  opposed  to  a  system  based  on  the  packet  switch 
which  may  not  be  available  for  two  years.  In  a  move  to  reduce  duplication  of  effort, 
v/e  have  constrained  both  switch  designs  to  share  major  subsystems.  Our  re¬ 
implementation  of  the  BBN  circuit  switch  has  proceeded  smoothly  since  September. 
We  now  have  three  of  the  four  major  subsystems  designed  and  entered  into  our 
Computer  Aided  Engineering  station.  An  extensive  discussion  of  the  development 
plan  for  the  circuit  switch  can  be  found  in  [13], 

Packet  Switch:  We  think  that  a  good  network  structure  for  the  Emulator  is  a 
hypercube  of  high  speed,  bidirectional,  serial  interconnections  with  lull  store  and 
forward  logic  at  each  switching  node  [12].  The  exploratory  design  work  by  Robert 
lannucci  has  shown  the  approach  to  be  within  the  capability  of  modern  engineering 
techniques  [11].  Nevertheless,  to  achieve  the  target  speed  and  reliability,  the  serial 
link  drivers  and  receivers  within  the  switch  will  be  implemented  with  a  mixture  of 
analog  and  digital  circuits.  Further,  the  internal  logic  of  the  switch  places  strong 
demands  on  the  circ- 1  technology  for  speed  and.  more  critically,  predictability.  Off 
the  shelf  logic  typically  has  a  very  wide  spread  of  "acceptable"  performance 
specified  by  the  manufacturer.  This  large  spread,  when  combined  with  the  desire  to 
produce  a  robust  design,  forces  the  use  of  worst-case  performance  figures.  This 
typically  translates  directly  into  a  bloating  of  the  design  in  terms  of  chip  count.  It 
should  be  noted  that  we  are  interested  in  medium  sized  volumes  of  assembled  and 
tested  switch  cards  because  of  our  own  needs  and  anticipated  need  for  those  who 
wish  to  replicate  the  Emulator. 

To  solve  these  problems,  we  have  reached  an  agreement  with  IBM  under  which 
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they  have  installed  a  department  of  four  full-time  engineers  at  MIT  for  three  years. 
These  engineers  will  help  in  the  design,  prototyping  construction,  and  testing  of  this 
packet  network.  We  are  studying  the  possibility  of  using  an  IBM  serial  data 
communications  circuit  of  their  own  design  which  more  than  meets  our  performance 
goals.  In  addition,  IBM  will  give  us  access  (indirectly  through  their  engineers)  to  a 
medium  capacity  bipolar  gate  array  technology  and  to  their  Engineering  Design 
System.  This  should  solve  our  circuit  testing  problem  because  IBM  will  provide  us 
with  tested  gate  array  chips. 

During  the  spring  of  1983  a  project  to  study  the  feasibility  of  a  VLSI  version  of  the 
bit  serial  transciever  was  undertaken  in  the  advanced  VLSI  subject  at  MIT.  It  resulted 
in  the  preliminary  design  of  a  100  MHz  serial  data  communications  circuit  based  on 
the  MOSIS  1.2  jim  two  layer  metal  CMOS  process  [7],  The  transmitter  section 
develops  a  Manchester  coded  data  stream  using  asynchronous  finite  state 
techniques.  The  receiver  re-extracts  data  and  clock  from  the  Manchester  waveform 
using  an  on-chip  phaselock  loop. 

We  are  continuing  this  VLSI  effort  because  the  bit-serial  transreciever  will  be  a 
retrofitable  part  of  this  switch  and  has  applications  far  beyond  the  Packet  Switch.  In 
VLSI  chips,  the  transistor  to  I/O  pin  ratio  will  continue  to  increase  and  thus,  as  the 
use  of  pins  for  inter  chip  communication  will  rely  more  heavily  on  time  multiplexing 
techniques  in  the  future.  Our  VLSI  version  of  the  bit  serial  transreciever  set  is  very 
robust  and  implements  full  flow  control.  It  will  allow  a  multichip  system  to  be 
designed  according  to  the  synchronous  on-chip,  a  synchronous  across-chip 
methodology.  Thus,  traditional  chip  design  techniques  can  be  employed  and  the 
need  for  centralized  clocking  eliminated. 

3.4.  Emulation  Software 

The  Multiprocessor  Emulation  Facility,  developed  by  Richard  Soley,  is  a  large  body 
of  Lisp  software  which  allows  its  user  to  quickly  and  easily  prototype  a  single-  or 
multiprocessor  computer  architecture,  and  to  then  execute  the  proposed  machine  in 
emulation.  In  order  to  achieve  high  emulation  speed  without  excessive  cost,  and  to 
force  systems  architects  to  begin  thinking  of  computers  in  a  distributed, 
multiprocessing  way,  the  Emulation  Facility  is  designed  to  execute  on  many  parallel 
Lisp  processors,  linked  via  a  variety  of  communications  media. 

The  general  case  of  a  multiprocessor  is  a  group  of  various  asynchronous 
independent  processing  elements  with  no  shared  state,  connected  by  a  packet 
communications  network  of  arbitrary  connectivity.  MEF  supports  this  type  of 
architecture  directly,  by  providing  a  set  of  software  abstractions  which  facilitate  the 
modeling  of  such  an  architecture  in  the  Lisp  language.  The  abstractions  include 
programs  to  define  experiments  and  logical  processors.  An  experiment  consists  of 
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the  number  and  type  of  processors  being  emulated,  their  interconnection  topology, 
and  other  information  pertinent  to  running  the  architecture  in  emulation.  A  logical 
proco-.sc'  is  a  Lisp  program  which  exhibits  the  behavior  ot  a  physical  processor  in 
the  multiprocessor  architecture  by  modifying  local  data  representing  the  state  ot  the 
processor,  and  communicating  with  other  processors  by  calling  MEF's  message 
sending  primitives.  The  MEF  will  also  provide  support  tor  dealing  with  the  lower- 
level  issues  of  handling  networks  and  protocols  used  on  them,  configuring  emulated 
topologies  on  top  ot  different  physical  interconnections  ot  the  Lisp  Machines,  etc. 

In  addition  to  these  tools,  the  system  includes  more  mundane  subsystems,  such  as 
the  Control  Panel,  which  acts  as  the  bootstrap-load  processor  of  the  system, 
configuring  the  Lisp  Machines  taking  part  in  a  particular  emulation  experiment, 
broadcasting  the  experiment  to  be  executed,  and  setting  up  the  communications 
media  for  the  desired  interconnection  topology.  The  conliol  panel  subsystem  also 
piovides  primitives  for  collection  and  display  of  various  statistics,  either  during 
execution,  or  afterward. 

The  MEF  system  automatically  distributes  logical  processors  in  the  experiment 
over  the  physical  Lisp  Machines  currently  configured  into  the  facility.  In  this  way,  an 
experiment  that  requires  sixteen  logical  procc-''-nrs  can  be  run  on  the  facility  using 
one.  two,  or  more  physical  Lisp  Machines.  In  addition,  the  Lisp  Machines  may  be 
partitioned  into  separate  sub-facilities  by  the  control  panel,  allowing  multiple 
emulation  experiments  to  run  at  the  same  time. 

Although  the  abstract  structure  outlined  above  was  chosen  lor  its  generality  in 
emulating  multiprocessor  configurations,  the  skeptic  will  immediately  note  that  it 
does  not  directly  support  such  multiorocessor  designs  as  synchronous  processors 
(like  the  Connection  Machine,  or  llliac  IV)  or  tho  shared  memory  model  (e.g.. 
C.mmp).  In  fact,  this  model  is  abstract  enough  to  allow  prototypical  implementation 
of  even  these  models  of  parallel  computation;  generally,  another  virtual  processing 
element  is  added  to  the  emulation  experiment  definition  to  model  this  shared 
resource  (e.g.,  clock  or  memory)  of  tho  system.  This  is  actually  quite  close  to  the 
real  hardware  implementation  of  such  a  system,  in  which  a  central  clock  for 
synchronous  operation  or  a  central  shared  memory  will  actually  bo  a  separate 
subsystem  of  the  architecture.  In  addition,  interconnection  schemes  other  than 
packet  switching  networks  can  bo  simulated  on  top  of  our  packet  switch  by  using 
the  packets  to  simulate  individual  items  in  a  continuous  stream  communication 
mechanism. 

The  implementation  of  the  Multiprocessor  emulation  Facility  is  proceeding 
smoothly.  We  currently  have  an  emulation  system,  written  inliiely  in  /etaLisp. 
running  on  five  Symbolics  3670  processors.  Wc  continue  to  utilize  the  ten  megabit 
Ether  network,  executing  Chaos  protocols,  foi  our  communications  medium.  As 
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work  progresses  on  the  circuit  and  packet  switch  hardware,  we  are  in  the  midst  of 
preparation  for  use  ot  those  now  and  faster  media. 

We  currently  have  two  architectures  in  emulation.  The  first,  written  by  Richard 
Soley,  is  a  simple  von  Neumann  style  machine,  emulated  as  two  logical  processors 
(one  CPU  and  one  MEMORY  box)  connected  via  a  bus  (all  communications  actually 
pass  through  the  Emulation  Facility  software,  as  described  above).  This  simple 
emulation  provided  a  vehicle  for  debugging  parts  of  the  system. 

We  also  have  an  emulated  version  of  the  Tagged  Token  Dataflow  Machine  running 
on  the  Emulation  Facility.  This  emulation,  developed  by  Richard  Soley,  Paul  Fuqua, 
and  Poh  lim,  fully  supports  our  current  definition  of  the  Tagged  Token  Dataflow 
Architecture.  We  are  already  using  the  dataflow  emulation  experiment  to  tune  the 
design  of  the  Tagged  Token  Dataflow  Architecture.  We  are  executing  Id  programs, 
compiled  into  machine  code,  at  the  rate  of  one  hundred  dataflow  machine 
instructions  per  second. 

We  have  an  immediate  pressing  need  for  more  speed  in  the  dataflow  emulation; 
therefore,  selected  parts  of  the  emulation  facility  and  the  dataflow  experiment  itself 
are  being  hand-tuned  to  reach  the  goal  of  one  thousand  emulated  dataflow  machine 
instructions  per  second. 

4.  RELATED  TOPICS 

4.1.  Logic  Programming 

A  great  deal  of  attention  has  recently  been  given  to  the  Fifth  Generation  Computing 
project  in  Japan,  mostly  because  of  its  focus  on  Logic  Programming  as  the 
programming  method  of  choice.  Logic  Programming  shares  the  "single  assignment" 
characteristic  of  Functional  Programming,  as  well  as  the  declarative  style:  hence,  it 
is  ot  great  relevance  to  our  group.  In  order  to  learn  more  about  Logic  Programming, 
during  the  IAP  in  January  '84,  an  informal,  week  long  workshop  'was  held.  Talks  were 
presented  by  Jan  Komorowski,.  who  was  invited  from  Harvard.  Michael  Beckorle, 
Gary  Lindstrom  (a  visiting  scientist  from  the  University  of  Utah),  Arvind.  and  Gordon 
Robinson  (from  the  At  Laboratory).  The  talks  covered  topics  ranging  from  the 
fundamentals  of  logic  programming  to  current  efforts  In  the  parallel  processing  of 
logic  programs. 

4.2.  New  Equipment 

Five  Symbolics  3600s  were  acquired  as  the  first  of  64  machines  for  the 
Multiprocessor  Emulation  Facility.  These  machines  are  in  the  process  of  being 
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upgraded  to  3670s.  Each  machine  has  6  megabytes  ot  main  memory  and  one 
machine  is  equipped  with  500  megabytes  of  disk  storage  for  file  service.  An 
additional  1.6  gigabytes  of  disk  memory  was  installed  on  the  group's  VAX-750,  also 
for  file  server  use  by  the  3670s.  A  total  of  sixteen  3670s  are  expected  by  the  end  of 
this  year.  Several  IBM  PCs,  networked  onto  TCP/IP  speaking  Ethernet,  were  also 
obtained.  The  PCs  are  used  for  local  editing,  software  development,  and  laboratory 
instrumentation  control. 

4.3.  Support  Tools 

As  his  first  UROP  project.  Dinarte  R.  Morais.  an  undergraduate  member  of  the 
group,  implemented  an  interactive  illustrator  program,  which  is  now  being  used  by 
members  of  both  the  LCS  and  Al  labs.  The  program,  called  illustrate,  is  an 
interactive  illustrator  for  creating  pictures  composed  of  lines,  curves  and  text 
captions,  and  was  modeled  after  the  oraw  program  available  on  Alto  computers,  as 
described  in  the  Alto  User's  Handbook. 

The  problems  with  using  the  existing  draw  program  on  the  Alto  computers  include 
the  fact  that  pictures  could  not  be  very  complicated  due  to  the  relatively  small 
amount  of  memory  available.  In  addition,  draw  came  as  is  and  consequently  could 
not  be  customized.  Finally,  the  few  Alto  computers  left  are  getting  older  and  less 
reliable,  and  it  was  hoped  that  illustrate  could  allow  our  group  to  finally  do  away 
with  the  Altos. 

illustrate  was  implemented  in  ZetaLisp  on  a  Symbolics  3600  Lisp  Machine.  The 
advantages  of  illustrate  over  draw  are  many.  One  advantage  is  that  there  is  no 
practical  limit  to  the  complexity  of  a  picture  created  with  illustrate.  More 
importantly,  we  now  have  the  ability  to  customize  the  program  to  suit  our  needs. 
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4.  PARTIAL  EVALUATION  AND  PROGRAMMING  LANGUAGE 
DESIGN 

This  is  a  new  activity  in  our  group,  and  is  work  that  has  been  done  in  conjunction 
with  two  of  my  graduate  students.  John  Lucassen  and  Richard  Schooler.  The  basic 
thesis  of  the  work  is  that  if  built  on  types  are  roughly  as  efficient  as  built-in  types  then 
programming  languages  will  be  more  flexible  and  able  to  meet  the  needs  of  their 
users  than  is  possible  to  achieve  with  current  techniques.  The  optimization 
technology  that  we  have  been  exploring  is  called  partial  evaluation  because  it 
evaluates  a  program  as  best  as  possible  given  partial  information.  The  language  that 
we  are  using  for  our  work  on  partial  evaluation  is  called  IBL.  and  it  strongly 
resembles  Scheme.  In  the  past  year  we  have  completed  a  paitial  evaluator  that  has 
successfully  optimized  piograms  that  used  a  message  passing  system,  and  the 
partial  evaluator  has  also  converted  an  interpreter  for  a  simple  declarative  rule- 
based  language  into  a  compiler  for  the  same  language. 

Our  plan  for  next  year  is  to  complete  a  front-end  for  our  language  work  that  will 
transform  Modula-2  into  IBL.  All  type  computations  will  be  made  explicit  in  the 
transformation.  Because  Modula-2  is  strongly  typed  all  type  computations  and 
checks  will  be  performed  by  partially  evaluating  the  IBL  result  of  the  front-end. 
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2.4.  Plans  for  the  Next  Year 

In  the  next  year,  we  plan  to  improve  the  system  we  are  operating  in  a  number  of 
ways.  First,  we  plan  to  add  new  information  sources,  including  the  Associated 
Press.  We  have  also  started  a  joint  effort  with  the  Boston  Convention  and  Tourist 
Bureau  to  add  visitor  and  event  information  to  our  system.  Second,  we  plan  to  add 
personal  computer  access  to  our  central  site  database  system.  This  will  allow 
information  that  was  missed  when  it  was  broadcast  or  historical  information  to  be 
retrieved  in  the  same  framework  that  is  used  in  our  present  personal  database 
system.  Finally,  we  plan  to  evaluate  the  experiences  of  our  initial  test  audience. 

3.  ADVANCED  GRAPHICS  SUPPORT  FOR  USER  INTERFACES 

In  support  of  our  work  on  community  information  systems  we  have  been  working 
on  new  types  of  user  interfaces.  One  application  that  we  have  built  is  a  browser  for  a 
street  map  of  the  Boston  area.  It  permits  one  to  look  at  a  digital  map  of  the  entire 
area,  zoom  in  on  locations,  and  find  a  place  given  a  street  address.  The  original 
implementation  of  the  Boston  map  system  was  on  a  Symbolics  3G00,  a  fairly 
expensive  personal  machine.  The  map  system  work  is  continuing  on  low-cost 
Macintosh  personal  computers,  and  we  are  exploring  ways  of  integrating  it  with  new 
databases  that  we  will  be  receiving  from  the  Buston  Convention  and  Tourist  Bureau 
and  the  Massachusetts  Bay  Transportation  Authority. 

In  a  related  project  we  are  trying  to  discover  what  user  interface  metaphors  will  be 
useful  beyond  the  window  system  and  mouse  ideas  that  were  made  popular  by  bit¬ 
map  displays.  To  do  this,  we  are  using  an  advanced  display  system  provided  by  the 
combination  of  a  Symbolics  3600  and  the  Silicon  Graphics  IRIS  system.  The  Silicon 
Graphics  IRIS  is  a  polygon  display  engine  that  will  display  an  animated  color  scene 
of  300  polygons  in  real  time. 

In  the  past  year,  we  have  completed  a  3D  graphics  library  for  the  Symbolics  3600 
that  sends  graphics  commands  to  the  IRIS  over  a  serial  lino.  This  link  has  been  used 
to  show  portions  of  3D  databases  that  we  have  received  from  NASA,  including  the 
space  shuttle.  Our  goals  for  next  year  for  the  3600/IRIS  system  are  to  have  the  3600 
communicating  with  the  IRIS  via  an  IP/TCP  byte  stream  on  an  Ethernet,  to  fully 
specify  and  implement  a  graphics  library  that  permits  direct  specification  of 
kinematics,  and  to  bring  up  a  simple  application  that  demonstrates  the  capabilities  of 
the  foundation  that  we  are  building. 
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character  buffer  is  chosen  to  be  large  enough  to  buffer  characters  for  the  maximum 
latency  between  service  times  from  the  receive  task.  Once  the  receive  task  starts 
running  it  begins  to  empty  the  character  buffer.  The  character  stream  is 
reassembled  into  packets,  the  checksum  on  the  packets  is  checked,  and  the  packets 
are  reassembled  into  a  complete  segment  in  a  buffer  area.  If  the  segment  is 
encrypted  then  the  proper  key  is  computed  and  the  segment  is  decrypted  in  place. 

Once  a  segment  has  arrived  and  has  been  decrypted  it  is  checked  against  the 
user's  filter.  The  algorithm  that  is  used  to  check  a  text  segment  against  a  user’s 
keyword  filter  is  very  efficient,  and  runs  in  time  linear  in  the  size  of  the  segment. 
Thus  users  are  not  penalized  for  having  complex  filters.  If  an  incoming  segment 
does  not  match  a  user’s  filter,  it  is  discarded.  However,  if  the  segment  does  match 
the  filter  it  is  written  to  a  new  file  on  the  local  disk  and  the  file  is  indexed  in  the  local 
database  directory. 

As  mentioned  earlier,  while  all  of  this  is  going  on  the  user  task  services  requests 
from  the  keyboard.  The  user  interface  allows  users  to  type  in  queries  that  are  the 
same  as  filter  predicates.  Queries  are  boolean  combinations  of  words,  phrases,  and 
specifiers  of  subject,  author,  source,  importance,  and  so  forth.  Once  a  query  is 
entered  it  is  decomposed  and  the  local  database  directory  is  searched  for  matching 
entries.  The  entries  that  result  are  displayed  in  a  menu  format  on  the  screen.  At  this 
point  a  user  can  select  a  specific  entry  for  display  by  adding  its  number  to  the  query 
that  is  In  the  input  line,  or  the  user  can  enter  an  entirely  new  query.  The  user 
interface  includes  a  simple  window  manager  that  responds  to  page  up  and  page 
down  keys  in  the  event  output  will  not  fit  on  a  single  screen.  There  is  also  a  built  in 
help  facility  that  will  provide  instruction  on  how  to  use  the  system. 

2.3.  Digital  Radio  Receiver  Design 

To  support  an  experimental  user  population  we  have  designed  and  built  20 
receivers  for  our  broadcast  digital  signal  (D.  Gifford).  The  receiver  is  in  a  small  box 
that  has  input  connections  for  an  antenna  and  power  and  it  has  a  single  RS-232 
compatible  output  connection  that  plugs  into  the  serial  port  of  a  home  computer. 
The  parts  cost  of  the  receiver  is  approximately  $130.  This  includes  a  standard  FM 
receiver  front  end  card  that  we  buy  from  an  outside  supplier,  a  power  supply,  and 
our  own  PC  card  that  implements  the  subcarrier  demodulator. 

The  subcarrier  demodulator  is  comprised  of  seven  integrated  circuits  and  an 
assortment  of  discrete  components  for  the  analog  part  of  the  board.  The  subcarrier 
demodulator  works  by  taking  the  output  of  a  standard  FM  receiver  and  first  removing 
the  normal  programming  on  the  channel  with  a  4-pole  active  filter.  The  output  of  the 
filter  is  sent  to  an  FSK  receiver  chip  that  uses  a  phased  locked  loop  to  recover  the 
data  and  provide  an  RS-232  signal  on  the  output  terminals  of  the  receiver. 
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The  flow  of  information  in  our  system  is  as  follows.  Information  is  received  at  our 
central  database  system  at  MIT  from  a  number  of  sources,  including  the  New  York 
Times.  The  information  is  put  into  standard  form  and  placed  in  a  database.  This 
database  can  be  searched  on-line  and  users  can  also  keep  profiles  of  their  interests 
and  the  system  will  automatically  send  them  a  message  when  information  arrives 
that  matches  their  profile.  In  addition,  a  program  called  the  scheduler  (S.  Berlin) 
monitors  arrivals  to  the  database  and  schedules  them  for  transmission  out  over  our 
broadcast  channel  to  remote  personal  computer  users.  A  typical  information  item  is 
transmitted  a  number  of  times,  but  the  frequency  of  transmissions  can  depend  on 
the  type  and  priority  of  the  information  item. 

The  communication  channel  that  we  use  to  communicate  with  remote  users  is  a 
4.8  KBit/second  broadcast  channel  that  is  piggybacked  on  a  normal  FM  broadcast 
station.  The  channel  uses  asynchronous  signalling  to  keep  the  cost  of  receiver 
hardware  low;  the  receiver  that  we  have  designed  plugs  directly  into  the  RS-232  port 
of  personal  computers. 

To  use  the  communication  channel  effectively  we  have  developed  a  broadcast 
packet  protocol.  This  protocol  allows  multiple  data  streams  to  be  multiplexed  on  a 
single  channel,  and  provides  for  packet  error  detection  and  error  recovery.  A 
theoretical  model  of  the  communication  channel  that  we  developed  allowed  us  to 
compute  the  optimum  packet  size  for  our  system.  The  model  requires  the  byte-error 
rate  as  an  input  parameter.  Empirical  tests  were  done  at  various  locations  in  the 
Boston  area  to  compute  the  byte  error  rate  of  our  system. 

The  next  layer  of  protocol  up  from  packet  transport  provides  for  the  transport  of 
arrays  of  bytes  called  segments.  Software  above  the  segment  layer  is  insensitive  to 
the  packet  size  that  we  use  and  the  number  of  packet  retransmissions  that  are  done 
to  enhance  reliability.  The  segment  layer  also  provides  for  encryption.  A 
master/sub  master  scheine  is  used  so  that  the  compromise  of  a  single  segment  key 
will  not  disclose  a  master  key. 


2.2.  Personal  Database  Software 

The  personal  database  software  that  we  have  completed  (J.  Lucassen)  serves  two 
functions.  First,  the  receive  task  listens  to  the  packet  radio  broadcasts  and  keeps 
the  local  database  up  to  date.  Incoming  database  updates  are  incorporated  if  they 
pass  a  filter  that  the  user  has  specified.  At  the  same  time  that  the  receive  task  is 
keeping  the  database  up  to  date,  the  user  task  processes  queries  from  users.  These 
two  tasks  run  as  separate  processes  under  MS  DOS  using  a  package  written  by  the 
Computer  Systems  and  Communications  Group  of  our  Laboratory. 

The  receive  task  services  a  character  buffer  that  is  filled  at  interrupt  level.  The 
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1.  INTRODUCTION 

The  Imaginative  Systems  Group  is  involved  in  a  project  to  build  and  experiment 
witn  new  types  of  man-macnine  communication  systems.  The  first  system  that  we 
have  built  is  a  large-scale  community  information  system  that  is  now  operating  in  the 
Boston  area.  As  described  below,  information  is  transmitted  via  a  broadcast  packet- 
radio  system  to  home  computers  where  it  is  received  by  a  customizable  personal 
dataoase  system.  The  next  section  describes  tnis  work  in  detail.  A  second  project 
that  we  nave  oeen  invoiveo  in  is  the  optimization  of  programming  languages  by  a 
technique  calied  partial  evaluation.  The  results  of  the  first  partial  evaluator  that  we 
built  were  encouraging,  and  we  are  proceeding  to  build  a  front-end  for  a 
contemporary  programming  ianguage  to  test  our  ideas  further.  The  second  section 
of  our  group  s  progress  report  gives  a  description  of  what  we  have  accomplished  in 
this  area  in  tne  past  year. 

2.  THE  BOSTON  COMMUNITY  INFORMATION  SYSTEM 

As  described  in  our  original  DARPA  proposal,  we  are  engaged  in  building  a  new 
type  of  community  iniormation  system.  The  system  has  a  number  of  novel  aspects 
that  differentiates  it  from  other  such  systems.  First,  it  uses  a  synthesis  of  uni¬ 
directional  (broaacast)  packet  radio  communication  and  personal  computers  to 
provioe  a  cusiomized  iniormation  service.  Second,  because  uni  directional 
communication  is  used  ine  system  can  oe  used  by  an  arbitrary  number  of  users. 
Third,  an  extensive  protection  mecnanism  nas  oeen  specified  and  implemented  that 
provides  rine-grameo  access  control.  Access  can  be  controlled  on  the  basis  of 
information  source,  or  access  can  be  limited  to  certain  time  periods.  Finally,  we 
provioe  a  sopnisticateo  query  interface  based  on  free- text  searcnirig  as  opposed  to 
simpler  menu-baseo  approaches  used  in  other  community  information  svstems. 

In  tne  past  year  we  nave  oegun  regular  transmissions  of  information  over  our 
broadcast  pacKet-radio  system,  completed  tne  design  and  implementation  of  our 
personal  dataoase  sortware  for  the  IBM  PC,  and  finished  the  first  build  and  checkout 
of  20  data  receivers  tor  our  test  of  the  system  this  summer.  The  following 
paragrapns  describes  each  of  these  accomplishments  in  more  detail. 

2.1.  Broaacast  Packet  Radio  System 

Our  regular  transmissions  to  home  computers  began  on  April  15,  1984.  The  FM 
radio  station  tnai  we  use,  MIT’s  WMBR,  is  on  the  air  for  approximately  14  hours  a 
day.  During  tnis  time  we  transmit  our  packet  protocol  on  their  subcarrier.  Our  tests 
in  the  field  show  that  on  WMBR's  200  watt  transmitter  with  10%  subcarrier  injection 
we  acnieve  a  primary  service  area  that  lies  within  five  miles  of  the  transmitting  tower 
in  Kendall  Square,  CamDridge. 
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Cambridge,  MA,  expected  April  1985. 
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11.  Papadopoulos,  G.M.  and  Arvind  "Dataflow  Models  for  Fault-Tolerant 
Control  Systems,"  American  Control  Conference  Proceedings,  San 
Diego,  CA,  June  1984. 
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1.  INTRODUCTION 

One  of  the  goals  of  information  mechanics  is  to  explore  the  possibility  of  virtually 
nondisrpative  computing.  To  this  end,  it  is  necessary  to  establish  a  very  close 
match  between  the  logical  structure  of  the  desired  computation  and  the  physical 
structure  of  the  computer  that  should  carry  it.  This  approach  has  given  significant 
insights  into  the  information-processing  aspects  of  reversible  dynamical  systems.  It 
has  also  provided  novel,  conceptually  attractive  tools  in  the  mathematical  modeling 
of  physics. 

The  theoretical  aspects  of  our  work  were  complemented  and  stimulated  by  work 
concerned  with  the  efficient  implementation  of  such  abstract  tools  by  means  of 
special-purpose  machines. 


2.  A  MATURE  VERSION  OF  THE  CELLULAR  AUTOMATON 
MACHINE 

After  three  years  of  design  and  development,  CAM  (Tom  Toffoli's  high- 
performance  machine  dedicated  to  the  simulation  of  cellular  automata  and  other 
distributed  discrete  dynamical  systems)  this  spring  has  reached  a  mature  form  under 
which  it  will  get  into  the  world.  System  Concepts  (San  Francisco,  CA)  is  now 
building  a  version  that  fits  a  single  slot  of  the  IBM  PC.  This  version  should  be 
commercially  available  this  fall.  Norm  Margolus  has  provided  a  FORTH  package  to 
drive  the  now  CAM. 


3.  A  NEW  CLASS  OF  CELLULAR  AUTOMATA 

Our  research  this  past  year  has  received  a  big  boost  following  the  discover  (by 
Norm  Margolus)  of  a  new  family  of  cellular  automata  based  on  local  functions  with 
equal  numbers  of  inputs  and  outputs  [3].  In  these  "partitioning"  cellular  automata 
(PCA),  many  properties  of  the  overall  evolution  carry  over  in  a  straightforward 
manner  from  those  of  the  local  evolution.  For  example,  if  the  local  mapping  is 
invertible,  so  is  the  global  mapping. 

The  Billiard-Ball-Model  Cellular-Automaton  (BBMCA).  an  instance  of  PCA  provides 
a  basis  for  universal  computation  since  it  simulates  a  classical  mechanical  model  of 
computation  [3].  It  thus  constitutes  a  laboratory  in  which  to  study,  among  other 
things,  the  relevance  of  energy  and  entropy  analogues  in  computer  models.  The 
BBMCA  also  yields  a  description  of  deterministic  computations  which  could,  in 
principle,  operate  within  the  constraints  of  a  local  quantum-mechanical  Hamiltonian 
[4].  We  are  studying  the  question  of  whether  a  truly  parallel  quantum 
implementation  of  such  a  cellular  automaton  can  operate  at  a  uniform  computational 
rate.  If  this  is  the  case,  an  important  barrier  to  computation  using  elements  of  atomic 
dimensions  will  have  bet'n  passed. 
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4.  PARALLEL  COMPUTATION  OF  THE  DYNAMICS  OF 
DISTRIBUTED  SYSTEMS 

Cellular  automata  provide  a  stimulus  to  designing  algorithms  which  effectively 
exploit  the  potential  of  massively  parallel  hardware.  Gerard  Vichniac  [5]  has  studied 
the  effects  of  synchronous  updating  in  a  regular  network  of  locally  interconnected 
Boolean  variables  (i.e.,  Ising  spins).  Surprisingly,  even  in  this  very  simple  instance  of 
distributed  system,  one  must  strictly  follow  somewhat  counter  intuitive  rules  in  order 
to  make  a  full  use  parallel  computational  resources  [1], 

5.  DISCRETE  REPLACEMENTS 

While  digital  computers  are  discrete  objects,  the  language  of  most  mathematical 
physics  employs  continuum  structures  {viz.,  differential  equations).  In  order  to 
overcome  this  mismatch  and  let  computers  do  what  they  do  best,  i.e.,  logical 
manipulation  of  bits  as  opposed  to  necessarily  imprecise  floating-point  arithmetic 
we  have  investigated  finitary  models  based  on  the  combinatorics  of  a  large  number 
of  discrete  variables.  We  have  found,  using  PCAs,  that  the  well-known  parabolic 
("heat")  and  hyperbolic  ("wave")  partial  differential  equations  are  the  limits,  over 
distances  much  greater  than  the  mean  free  path,  of  suitable  lattice  gases  of  binary 
variables. 

We  have  continued  this  year  our  program  of  reducing  concepts  from  physics  to 
computational  primitives  such  as  counting,  labeling,  and  comparing  [5][2].  We 
recently  found  that  any  iterated  deterministic  manipulation  on  a  random 
configuration  of  symbols  is  analogous  to  the  quenching  of  a  disordered  system  to 
low  temperatures.  This  sheds  some  new  light  on  the  processes  of  ordering  via 
domain  growth  and  interface  motion. 

6.  THE  QCD  MACHINE  PROJECT 

We  have  been  involved  since  January  1984  in  the  design  and  construction  of  a 
special  purpose  machine  for  calculating  properties  of  elementary  particles  on  the 
basis  of  Quantum  Chromodynamical  (QCD)  theoretical  formulations.  This  machine 
will  be  based  on  VLSI  processing  elements  connected  to  parallel  data  streams 
coming  from  a  very  large  RAM.  It  will  actually  calculate  inverses  of  very  large 
sparser  matrices,  and  should  apply  to  a  wide  class  of  different  problems,  in  particular 
to  the  numerical  solution  of  partial  differential  equations. 

This  project  is  carried  on  in  collaboration  with  R.  Giles  (MIT  Center  for  Theoretical 
Physics),  R.  Brower  (visitor  from  University  of  Santa  Cruz  Department  of  Physics), 
and  R.  Suaya  (Fairchild  Corporation).  The  particular  input  of  our  group  in  this 
collaboration  consists  in  applying  the  experience  we  have  gained  with  the 
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construction  of  CAM  in  special-purpose  computer  architecture,  in  particular  in  the 
problems  concerning  memory  management  and  interfacing  the  special  machine  with 
a  host  general  purpose  computer. 

7.  A  WORKSHOP  ON  PHYSICS  AND  COMPUTATION 

In  order  to  promote  a  rapid  communication  of  recent  results  and  an  exchange  of 
information  among  leading  physicists  and  computer  scientists,  we  organized  the 
Second  International  Workshop  on  "Physics  and  Computational  Processes,"  that 
was  held  in  January  1984. 


122 


INFORMATION  MECHANICS 


References 

1.  Brower,  R.,  Giles,  R.  and  Vichniac,  G.  "Cellular  Automata  and  the 
Parallel  Computations  of  Ising  Spins,”  MIT  Laboratory  for  Computer 
Science,  Cambridge,  MA,  to  appear. 

2.  Fredkin,  E.  "Digital  Information  Mechanics,"  MIT  Laboratory  for 
Computer  Science,  Cambridge,  MA,  to  appear. 

3.  Margolus,  N.  "Physics-like  Models  of  Computation,”  Physica  10D  (1984) 
81-95. 


4.  Margolus,  N.  "Quantum  Computation,"  MIT  Laboratory  for  Computer 
Science,  Cambridge,  MA,  to  appear. 

5.  Vichniac,  G.V.  "Simulating  Physics  with  Cellular  Automata,"  Physica 
10D  (1984)  96-116. 


Publications 

1.  Farmer,  D.  and  Toffoli,  T.  Proceedings  of  the  Cellular  Automata 
Workshop,  S.  Wolfram  (ed.),  North  Holland  Publishing,  1984.  Also  in 
Physica  D  10D  (1984)  1  and  2. 

2.  Ritzenberg,  A.L.  and  Vichniac,  G.Y.  "Exact  Results  in  a  Periodically 
Driven  Ising  Model,"  MIT  Laboratory  for  Computer  Science,  Cambridge, 
MA,  to  appear. 

3.  Toffoli,  T.  "CAM:  A  High  Performance  Cellular-Automaton  Machine," 
Physica  10D  (1984)  194-205. 

4.  Toffoli,  T.  "Cellular  Automata  as  an  Alternative  to  (rather  than  an 
Approximation  of)  Differential  Equations  in  Modeling  Physics,"  Physica 
10D  (1984)  117-127. 

5.  Toffoli,  T.  "A  Comment  on  'Dissipation  and  Computation’,"  to  appear  in 
Phys.  Rev.  Letter,  1984. 

6.  Vichniac,  G.Y.  "Instability  in  Discrete  Algorithms  and  Exact 
Reversibility,"  SIAM  Journal  Alg.  Disc.  Methods,  5,  4  (December  1984), 
to  appear. 


123 


INFORMATION  MECHANICS 


Thesis  in  Progress 

1.  Margolus,  N.  "Physics  and  Computation,"  Ph.D  dissertation,  MIT 
Department  of  Electrical  Engineering  and  Computer  Science, 
Cambridge,  MA,  expected  1985. 

Talks 

1.  Toffoli,  T.  "CAM:  A  High-Performance  Cellular  Automaton  Machine," 
IBM  T.J.  Watson  Research  Center,  Yorktown  Heights,  NY,  March  7, 
1984. 

2.  Toffoli,  T.  "Dedicated  Hardwares  for  the  Physical  Problems:  Ising  Spins 
in  the  Microcanonical  Ensemble,  and  QCD,"  Brookhaven  National 
Laboratory,  Brookhaven,  NY,  May  2, 1984. 

3.  Vichniac,  G.Y.  "Simulating  Physics  with  Cellular  Automata," 

Northeastern  University,  Boston,  MA,  October  1983 

Schlumberger-Ooll  Research,  NJ,  November  1983 

MIT  Chemical  Physics  Colloquium,  Cambridge, 

November  1983 

Nuclear  Theory  Seminar,  University  of  Maryland, 

February  1984 

IBM  T.J.  Watson  Research  Center,  Yorktown  Heights,  NY, 

March  1984 

Joint  Theoretical  Physics  Seminar,  Cambridge,  MA, 

March  1984 

Argonne  National  Laboratory,  May  1984 

4.  Vichniac,  G.Y.  "Faster  than  1000  Vaxes,"  Physics  Department, 
University  of  Chicago,  Chicago,  IL,  May  16, 1984. 

5.  Vichniac,  G.Y.  "Demonstration  of  the  CAM  Machine," 

Rutgers  University  Statistical  Mechanics  Meeting,  December 
1983. 

Disorderly  Growth  and  Scaling,  Exxon  Meeting,  Princeton, 

NJ,  August  1983. 


124 


MESSAGE  PASSING  SEMANTICS 


Academic  Staff 
C.E.  Hewitt,  Group  Leader 

Research  Staff 

Gerald  Barber 

Support  Staff 

C.  Smith 


MESSAGE  PASSING  SEMANTICS 


1.  OPEN  SYSTEMS 

Through  this  report,  we  describe  some  problems  and  opportunities  associated  with 
describing  and  taking  action  in  the  kind  of  "open  systems"  we  foresee  must  and  will 
be  increasingly  recognized  as  a  central  line  of  computer  system  development. 
Computer  applications  will  be  based  on  communication  between  systems  which  will 
have  been  developed  separately  and  independently.  Some  of  the  reasons  for 
independent  development  are  the  following:  competition,  different  goals  and 
responsibilities,  economics,  and  geographical  distribution.  We  must  deal  with  all  the 
problems  that  arise  from  this  conceptual  disparity  of  systems  which  have  been 
independently  developed.  Systems  will  be  open  ended  and  incremental  •• 
undergoing  continual  evolution.  There  are  no  global  objects.  The  only  thing  that  all 
the  various  systems  hold  in  common  is  the  ability  to  communicate  with  each  other. 
In  this  paper  we  study  description  and  actions  in  Open  Systems  from  the  viewpoint  of 
Message  Passing  Semantics,  a  research  program  to  explore  issues  in  the  semantics 
of  communication  in  parallel  systems  such  as:  negotiation,  transaction  management, 
problem  solving,  change,  and  self-knowledge. 

The  kind  of  systems  we  envisage  are  be  open-ended  and  incremental  -• 
undergoing  continual  evolution.  In  an  open  system  it  becomes  very  difficult  to 
determine  what  objects  exist  at  any  point  in  time.  For  example  a  query  might  never 
finish  looking  for  possible  answers.  If  a  system  is  asked  to  find  all  the  current  mail 
address  of  people  who  have  graduated  from  MIT  since  1930,  it  might  have  a  hard 
time  answering.  It  can  give  all  the  telephone  numbers  it  has  found  so  far,  but  there  is 
no  guarantee  that  another  one  can't  be  found  by  more  diligent  search.  These 
examples  illustrate  how  the  "closed  world  assumption"  is  intrinsically  contrary  to  the 
nature  of  Open  Systems.  We  understand  the  "closed  world  assumption"  to  be  that 
the  information  about  the  world  being  modeled  is  complete  in  the  sense  that  all  and 
only  the  relationships  that  can  possibly  hold  among  objects  are  those  implied  by  the 
given  information  at  hand  [33].  Systems  based  on  the  "closed  world  assumption" 
typically  assume  that  they  can  find  all  the  instances  of  a  concept  that  exist  by 
searching  their  local  storage.  In  contrast  we  desire  that  systems  be  accountable  for 
having  evidence  for  their  beliefs  and  be  explicitly  aware  of  the  limits  of  their 
knowledge.  At  first  glance  it  might  seem  that  the  closed  world  assumption,  almost 
universal  in  the  A.I.  and  database  literature,  is  smart  because  it  provides  a  ready 
default  answer  for  any  query.  Unfortunately  the  default  answers  provided  become 
less  realistic  as  the  Open  System  increases  in  size. 

2.  DESCRIPTIONS  OF  BEHAVIOR 

To  build  a  conceptual  modeling  system  for  Open  Systems,  we  need  to  develop  a 
coherent  understanding  of  the  semantics  of  concurrent  message  passing  systems. 
Message  Passing  Semantics  is  a  research  program  to  explore  issues  in  the 
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semantics  of  communication  in  parallel  systems.  It  builds  on  ^ctor  Theory  as  a 
foundation  for  the  conceptual  modeling  of  Open  Systems.  This  involves  important 
aspects  of  parallelism  and  serialization  beyond  the  sequential  coroutine  message 
passing  developed  in  systems  like  Simula  and  SmallTalk. 

An  actor  system  is  composed  of  abstract  objects  called  actors.  Actors  are  defined 
by  their  behavior  when  they  accept  communications.  When  a  communication  is 
accepted  an  actor  can  perform  the  following  kinds  of  actions  concurrently:  make 
simple  decisions  (such  as  whether  some  actor  it  received  in  the  communication  is 
the  same  as  one  of  its  acquaintances),  create  new  actors,  transmit  more 
communications  to  its  own  acquaintances  as  well  as  the  acquaintances  of  the 
communication  accepted,  and  change  its  behavior  for  the  next  message  accepted 
(i.e.,  change  its  local  state)  subject  to  the  constraints  of  certain  laws  [17]. 

3.  AN  EXAMPLE 

In  this  section  we  describe  the  behavior  of  a  simple  actor  which  is  a  shared 
checking  account  which  we  will  call  ACCOUNT43.  One  kind  of  description  might 
be  a  partial  description  of  what  happened  when  the  actor  ACCOUNT43  with  a 
balance  of  $10  accepted  a  request  to  make  a  deposit  with  amount  $2  for  customer 
c2.  and  as  a  result  created  the  actor  $12,  sent  a  Completion  report  to  c2,  and 
became  an  account  with  balance  $12: 


I 
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ACCOUNT43 


Kan  Actor 

(with  balance  $10) 

(with  behavior 
(a  Behavior 

(with  communicationAccepted 
(a  Request 
(with  message 

(3  Deposit  (with  amount  a))) 

(with  customer  c))) 

(with  becomes 

(new  Account  (with  balance  ($10  +  a))))' 
(with  sendTo 
(4  ReplyT  o 
(with  target  c) 

(with  message  (a  Completion)))) 


******* 


*  ACCEPTED  * 
******* 


V* 


t(a  Request 
|  (withessaoe 

|  (a  Deposit  (with  amount  $2))) 
|  (with  customer  c2)) 


******* 

•>*REPUEDTO  «—»|  (a  Completion)  1 
♦  BECAME  *  *  cJ  * 

**£**  ******* 


*  *  *  *  * 


(an  Actor 
(with  balance  $12) 

(with  behavior 
(a  Behavior 

(with  communicationAccepted 
(a  Request 
(with  message 

(a  Deposit  (with  amount  a))) 

(with  customer  c))) 

(with  becomes  , 

(rew  Account  (with  balance  ($12  +  a))))  l 

(with  sendTo 

(®uxx(a)  ReplyTo  | 

(with  target  c)  I 

(with  message  (a  Completion))))  1 


A  Happening 
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Complete  descriptions  of  the  history  of  what  happened  can  be  constructed  by 
keeping  careful  records  of  ongoing  computations.  The  Time  Warp  System  [21]  is  a 
particularly  elegant  way  to  collect  and  keep  the  records  in  a  useful  format.  Such 
records  can  be  used  by  an  actor  in  an  Open  System  to  keep  track  of  the  effects  of  its 
actions.  However  these  records  do  not  in  general  make  the  effects  of  a  given  action 
deterministic  because  of  the  effects  of  other  actors  in  the  Open  System.  Taking  the 
same  action  in  the  future  in  what  appears  to  a  single  actor  as  being  identically  the 
same  circumstances  as  when  the  action  was  previously  taken  can  have  different 
effects  in  an  Open  System. 

The  modeling  of  shared  resources  is  fundamental  to  Open  Systems.  Actor  systems 
aim  to  provide  a  clean  way  to  implement  effects  {not  "side-effects”  a  term  that  has 
been  used  as  a  kind  of  curse  by  proponents  of  purely  applicative  programming  in  the 
lambda  calculus).  By  an  effect  we  mean  a  local  state  change  in  a  shared  actor  which 
causes  a  change  in  behavior  that  is  visible  to  other  actors.  For  example  sending  a 
deposit  to  an  account  shared  by  multiple  users  should  have  the  effect  of  increasing 
the  balance  in  the  account. 

ACCOUNT43  is  an  example  of  the  kind  of  shared  resource  which  is  important  in 
the  conceptual  modeling  of  Open  Systems.  Such  shared  resources  should  be 
suitab'e  for  use  by  a  growing  collection  of  users.  To  a  given  user,  a  shared 
SharedAccount  will  exhibit  indeterminacy  in  the  balance  depending  on  the 
deposits  and  withdrawals  made  by  other  users.  The  indeterminacy  arises  from  the 
indeterminacy  in  the  arrival  order  of  messages  at  (he  shared  account. 

A  SharedAccount  inherits  attributes  and  behavior  ftom  both  the  description  of  an 
Account  and  the  description  of  a  Possession. 

t . — ~ 

Kfln  Account 

|  (with  balance  (an  Amount)))  \ 

l  • 


](a  Possession  j 

|  (with  owners  (a  Set))))  » 

i 


I 

IS 

I 


|  (a  SharedAccount)  | 


Multiple  Inheri tance 
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Dealing  with  the  issues  raised  by  the  possibility  of  being  a  specialization  of  more 
than  one  description  has  become  known  as  the  "Multiple  Inheritance  Problem".  A 
number  of  approaches  have  been  developed  in  the  last  few  years  including  the 
following:  [40l[  1 1][8][[6]  and  [7],  Out  approach  differs  in  that  it  builds  on  the  theory 
of  an  underlying  description  system  [1]  and  in  the  fact  that  it  is  designed  for  a 
parallel  message  passing  environment  in  contrast  to  the  sequential  coroutine  object- 
oriented  programming  languages  derived  from  Simula.  Traditional  properties  of 
transactions  (e.g..  the  all  or  nothing  property)  can  be  implemented  by  actors 
following  the  appropriate  message  protocols.  These  actors  are  called  transaction 
managers.  SharedAccount  actors  could  be  implemented  as  specializations  of 
transaction  managers  and  thereby  acquire  the  proper  message  protocol. 

If  an  actor  can  change  its  local  state,  it  is  called  a  serialized  actor.  A  serialized 
actor  accepts  only  one  message  at  a  time  for  processing:  it  will  not  accept  another 
message  for  processing  until  it  has  dealt  with  the  one  which  it  is  processing  in  at 
least  a  preliminary  fashion.  A  communication  received  by  a  serialized  actor  is 
processed  in  order  of  arrival 

4.  MESSAGE  PASSING  SEMANTICS 

Message  Passing  Semantics  takes  a  different  perspective  on  the  meaning  of  a 
sentence  from  that  of  truth  theoretic  semantics.  In  truth  theoretic  semantics,  the 
meaning  of  a  sentence  is  determined  by  the  models  which  make  it  true.  For  example 
the  conjunction  of  two  sentences  is  true  exactly  when  both  of  its  conjuncts  are  true. 
In  contrast  Message  Passing  Semantics  takes  the  meaning  oi  a  message  to  be  the 
effect  n  has  on  the  subsequent  behavior  of  the  system.  In  other  words  the  meaning 
of  a  message  is  determined  by  how  it  affects  the  recipients.  Each  partial  meaning  of 
a  message  is  constructed  by  a  recipient  in  terms  of  how  it  is  processed  [32].  The 
meaning  of  a  message  is  open  ended  and  unfolds  indefinitely  far  into  the  future  as 
other  recipients  process  the  message. 

At  a  deep  level,  understanding  always  involves  categorization,  which  is  a  function 
of  interactional  (rather  than  inherent)  properties  and  the  perspective  of  individual 
viewpoints  Message  Passing  Semantics  differs  radically  from  truth-theoretic 
semantics  which  assumes  that  it  is  possible  to  give  an  account  of  truth  in  itself,  free 
of  interactional  issues,  and  that  the  theory  of  meaning  will  be  based  on  such  a  theory 
of  liuth  [24], 

5.  LIMITATIONS  OF  DESCRIPTIONS 

One  of  the  most  challenging  problems  in  the  conceptual  modeling  of  Open 
Systems  is  sorting  out  the  relationship  between  doing  and  describing. 
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The  distinction  between  doing  and  describing  is  different  from  the  usual  distinction 
made  in  the  Artificial  Intelligence  literature  [29][t3]  between  the  epistemological 
adequacy  of  a  system  (its  accuracy  with  respect  to  truth-theoretic  semantics  [37] 
and  the  heuristic  adequacy  (the  efficiency  of  its  inferential  procedures  in  proving 
theorems).  Thus  the  distinction  between  epistemological  adequacy  and  heuristic 
adequacy  is  founded  on  the  basis  of  truth  theoretic  semantics.  Our  simple  example 
can  help  clarify  the  distinction.  An  epistemologically  adequate  theory  of  financial 
accounts  gives  an  accurate  description  of  the  rules  that  govern  them.  An 
heuristically  adequate  system  can  derive  theorems  in  the  theory  of  financial 
accounts  fast  enough  to  answer  queries.  Both  kinds  of  adequacy  are  concerned 
with  the  description  of  financial  accounts:  the  former  with  its  accuracy;  the  later  with 
the  efficiency  with  which  the  description  can  be  used  to  answer  questions. 

Neither  kind  of  adequacy  actually  accomplishes  creating  a  shared  account  with  a 
$10  in  it  so  a  growing  set  of  geographically  dispersed  users  can  make  deposits  and 
withdrawals.  We  could  describe  a  certain  kind  of  account  with  an  axiom  such  as  the 
following: 

tw  >  o)  n>Jia 

(f f*pi  acceptance 

(a  JV'arwJAccount  (with  balance  b)) 

(a  i  }f,pos't  (with  amount  d)) 
f  i  CompleUunHeport 

{w?^  NesuitinyBalance  {b  +  d))))) 

where  the  variables  b  and  d  are  universally  quantified  and  the  predicate 
replies-after-acceptance  takes  three  arguments  which  are  a  description  of  the 
local  state  of  an  actor  when  it  accepts  a  request  message,  a  dcscnption  of  the 
request  accepted,  and  a  description  of  the  reply  to  the  request,  respectively.  Now  it 
should  be  clear  that  hypothesizing  tfiat  ACCOUNT43  satisfies  the  following 
description: 


(a  Sb^cd  Account 

(w  tM  fnifaKFUl.l'M'c  %?0) 

(w  th  Pljc*?  Bank  OH  ondon) 

(wth  T  ifric  December  :v  i'W/' j) 

does  not  by  itself  actually  create  such  an  account.  Indeed  the  above  assertion  is 
ambiguous  between  the  following  interpretations: 

•  Hypothesis  Interpretation :  We  have  just  discovered  that  ACCOUNT43 
is  already  such  an  account  and  want  to  explicitly  record  this  in  the  data 
base. 


•  Goal  Interpretation :  We  want  to  declare  our  goal  of  having 
ACCOUNT43  be  such  an  account  and  we  will  devote  some  effort  to 
establishing  the  goal. 
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To  actually  create  the  account  requires  actually  providing  the  money  for  the  initial 
deposit  in  the  account  Making  assertions  by  itself  will  not  suffice.  Similarly 
asserting  the  ACCOUNT'13  is  not  a  Shared  Account  on  the  other  side  of  the  country 
does  not  in  itself  destroy  the  account. 

A  common  bug  in  attempting  to  model  computation  in  open  systems  is  to  assume 
that  an  agent  sending  messages  can  determine  the  order  in  which  they  will  be  seen 
by  the  recipient.  It  is  important  to  realize  that  the  above  assumption  is  contrary  to 
the  nature  of  Open  Systems.  Implementing  shared  resources  inherently  involves 
being  open  to  outside  communications,  even  those  put  forth  by  parties  which  joined 
the  Open  System  after  the  request  being  considered  was  received. 

6.  TAKING  ACTION 

Knowing  that  something  is  true  and  taking  action  to  make  it  come  true  are  two 
different  things  Roth  are  important  and  they  should  not  be  contused.  In  this  section 
we  discuss  how  actors  can  take  action  to  supplement  the  previous  sections 
discussion  of  how  they  can  manipulate  descriptions. 

Actions  such  as  creating  a  new  shared  account  with  balance  $12  and  owner  Ken 
can  bo  performed  by  evaluating  an  expression  such  as  the  one  below  in  the 
programming  language  Act2: 


i  '  >v  Sh.irccJAccotjnt 

(wi'.h  (>},;: v  t'J  account)  $1?) 

(wTh  (Own»;r$  of  Possession)  { Ken } )) 

Below  we  present  part  of  fhe  implementation  of  Sharedoccount.  This 
implementation  is  written  out  in  "parenthesized  English"  [22][14][i6][26][38]  which 
is  gradually  developing  into  a  technical  language.  The  underlined  words  have 
special  technical  meanings. 
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(Define 

(new  SharedAccount  (with  (balance  of  Account)  b) 
(with  (owners  of  Possession)  s)) 
to  have  the  following  implementation: 

(create  a  new  actor  with  the  behavior  that 

after  acceptance,  select  one  of  the  following  handlers 

for  the  communication  accepted: 

(if  it  5  (Query  (balance  of  Account))  request. 

(reply  b)) 

(if  it  is  (a  Withdrawal  (with  Amount  w))  request, 
(select  one  of  the  following  cases  for  w 
( 1 ! 't  ;s  (less  than  or  equal  to  b). 

(reply  (a  CompletionReport))  as  well  as 
(become  (new  SharedAccount 

(wMh  (balance  of  Account)  (b  w))))) 

(it  It  IS  (greater  than  b), 

(complain  (an  Overdraft  Complaint))))) 

(If  it  ls  (g  Deposit  (with  Amount  d))  request. 

(reply  (a  CompletionReport 

(with  ResultmgUalance  (b  *  d)))) 
(become  (new  SharedAccount 

(with  (balance  of  Account)  (b  *  d))))) 

(If  it  IS  (query  (owners  of  Possession))  request. 
(repliS)) 


.) 

At  this  point  we  would  like  to  take  note  of  several  unusual  aspects  of  the  above 
implementation.  By  default,  commands  in  the  body  ot  a  procedure  are  executed 
concurrently.  For  example,  in  the  communication  handler  for  Withdrawal  requests 
above,  the  following  two  commands  are  executed  concurrently: 

(reply(aCompio(it)n  Report)) 

(b€Co;F>e(newShat(<1Accoont(with(balance  o*Account)(b  -  w)))) 


The  principle  of  maximizing  concurrency  is  fundamental  to  the  design  of  actor 
programming  languages.  It  accounts  for  many  of  the  differences  with  conventional 
languages  based  on  communicating  sequential  processes.  Another  example  of 
maximizing  concurrency  is  that  the  processing  of  messages  by  a  serialized  actor  can 
be  pipelined.  Serialized  actors  can  bo  pipelined  since  processing  on  a  subsequent 
message  can  commence  once  the  become  command  has  been  executed  since  it 
designates  the  actor  which  will  process  the  subsequent  message.  For  example  after 
accepting  a  Withdrawal  message  then  executing  the  following  become  command 


(bccoinefncwSbaredArcoiinKwi'fifhalaoqpnfArr.oufilKb  w))» 
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action  of  the  call  has  aborted  (this  would  happen,  for  example,  if  the  top  action  ran  at 
the  crashed  guardian),  or  that  some  ancestor  of  the  handler  call  will  contain  an 
appropriate  aid,  i.e.,  an  ancestor  of  the  call,  in  its  aborts  Jist. 

For  example,  consider  the  case  of  the  system  aborting  the  call.  Recall  that  in 
executing  a  handler  call,  the  system  actually  creates  two  subactions,  one.  the  call 
action,  at  the  calling  guardian  and  another,  the  handler  action,  at  the  called 
guardian.  The  call  action  is  a  child  of  the  action  making  the  call,  and  the  handler 
action  is  a  child  of  the  call  action.  Two  actions  are  needed  so  that  the  call  can  be 
aborted  independently  at  the  calling  guardian  even  if  the  handler  action  committed 
at  the  called  guardian.  This  detail  was  suppressed  in  the  action  tree  shown  in  Figure 
111.  When  the  system  aborts  the  call  action  at  the  calling  guardian,  it  inserts  the  aid 
of  this  subaction  in  the  aborts  Jist  of  its  parent.  Thus,  the  aborts  Jist  of  an  ancestor 
of  the  handler  action  contains  an  appropriate  aid. 

2.3.  Two-phase  Commit 

Distributed  commitment  in  Argus  is  carried  out  by  a  standard  two-phase  commit 
protocol  [7],  [12].  In  this  protocol,  the  guardian  of  the  committing  top  action  acts  as 
the  coordinator.  The  other  guardians,  namely  those  in  the  plist,  act  as  the 
participants. 

The  coordinator  sends  the  aborts. list  to  each  participant  in  the  prepare  message. 
When  a  participant  receives  a  prepare  message  for  some  top  action  A.  it  compares 
every  descendant  of  A  in  its  committed  with  the  actions  listed  in  the  aborts. list  of  the 
prepare  message.  If  a  descendant  of  A  is  not  also  a  descendant  of  some  action  in 
the  aborts .list,  then  it  is  known  to  have  committed  to  A.  In  this  case,  its  nlist  is  used 
to  cause  all  new  versions  created  lor  it  to  be  written  to  stable  storage.  If  D  is  a 
descendant  of  some  action  in  the  aborts.list.  its  effects  are  undone:  its  olist  is  used 
to  cause  its  locks  to  be  released  and  its  versions  discarded.  Thus  the  aborts.list  is 
used  at  the  participant  to  reconstruct  enough  of  the  action  tree  to  determine  what  to 
do  with  every  local  descendant  of  the  committing  top  action. 

Actually,  sending  just  the  aborts  list  in  the  prepare  message  is  not  quite  enough. 
as  the  following  example  illustrates.  If  a  guardian  crashes  after  running  some 
handler  calls  that  are  subactions  of  top  action  A.  and  then  tuns  more  handler  calls 
tha*  are  subactions  of  A  after  it  recovers,  only  the  latter  calls  will  be  listed  in 
committed.  If  a  handler  call  that  ran  before  the  crash  committed  to  the  top,  it 
versions  should  be  written  to  stable  storage.  Since  the  versions  wi-re  lost  in  the 
crash,  the  guardian  should  refuse  to  prepare.  However,  given  the  information 
discussed  so  far.  there  is  no  way  that  it  could  know  this  For  example,  consider  the 
action  tree  of  Figure  11-1,  and  suppose  that  A. 2.1  committed  at  03.  then  G3 
crashed,  and  after  G3  recovered  A.  1.1  ran  and  committed  there.  Die  algorithm 
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olist  The  list  of  local  atomic  objects  used  by  this  action  and  its  local 

committed  descendants 

These  lists  are  empty  when  an  action  starts.  Whenever  an  action  uses  an  atomic 
object,  this  information  is  added  to  its  olist.  The  other  data  are  modified  as 
descendants  of  the  action  commit  or  abort.  If  a  local  subaction  commits,  its  olist. 
phst  and  aborts  Jist  are  merged  with  those  of  its  parent.  Also  its  locks  and  versions 
are  propagated  to  its  parent.  If  the  local  subaction  aborts,  its  locks  and  versions  are 
discarded  (using  the  information  in  the  olist).  Since  the  action  is  aborting,  it  is 
contributing  no  participants  to  its  parent,  and  therefore  its  phst  is  discarded.  Finally, 
the  aborting  subaction's  aid  is  added  to  its  parent's  abortsjist  if  it  may  have 
committed  descendants  at  other  guardians.  This  will  be  true  if  either  its  plist  or  its 
abortsjist  is  non-empty,  or  if  it  is  waiting  on  a  handler  call  when  it  aborts. 

When  a  handler  call  is  made,  a  call  message  is  constructed  and  sent  to  the 
handler's  guardian.  Later  a  reply  message  is  sent  from  the  handler's  guardian  to  the 
caller’s  guardian.  This  reply  message  contains  a  plist  and  an  abortsjist.  which  are 
merged  with  those  of  the  caller.  Ttie  olist  is  not  sent  back  in  the  reply:  information 
about  used  objects  is  kept  locally  at  the  guardian  that  contains  the  objects. 

When  the  call  message  is  received  at  the  handler's  guardian,  a  subaction  is 
created  for  it.  with  its  associated  plist.  abortsjist  and  olist.  all  empty.  As  the  handler 
action  runs,  these  data  are  modified  as  described  above.  Now  let  us  consider  what 
happens  when  the  handler  action  completes.  First,  suppose  it  commits.  In  this  case 
its  aid  and  olist  are  stored  in  committed  at  its  guardian.  Its  gid  is  added  to  its  plist 
and  then  its  plist  and  abortsjist  are  sent  back  to  the  calling  guardian  as  part  of  the 
reply  message.  If  the  handler  call  aborts,  its  locks  are  released.  The  phst  in  the  reply 
message  is  empty.  If  the  aborting  subaction  made  no  remote  calls  that  may  have 
committed  at  other  guardians  (i.e.,  its  phst  and  abortsjist  are  empty),  the  abortsjist 
in  the  reply  message  is  empty;  otherwise  it  contains  the  aid  of  the  aborting  handler 
action. 

For  example,  when  A. 2  in  Figure  111  commits,  its  phst  with  its  gid  added  is  (G2. 
G3.  G5}  and  its  abortsjist  is  empty;  this  information  is  sent  to  G  in  the  reply 
message.  When  A.1  aborts,  its  plist  is  non  empty,  so  the  reply  message  contains 
abortsjist  {A.l}.  When  this  information  is  merged  at  G  we  end  up  with  the  phst  and 
abortsjist  discussed  earlier. 

In  the  above  discussion,  we  assumed  that  when  the  reply  message  arrived  at  the 
calling  guardian,  the  caller  was  waiting  for  the  reply.  However,  tins  is  not  necessarily 
so.  The  calling  guardian  may  have  crashed  bcfoie  the  reply  arrived,  the  calling 
action  may  have  aborted  because  of  the  termination  of  a  coenter.  01  tire  call  may 
have  been  timed  out  by  the  system  because  of  a  network  partition.  In  all  these  cases 
the  reply  message  is  discaided.  Furthermore,  we  can  be  certain  that  either  the  top 
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@G1 

No  information 

@G2 

A. 2  committed 

@G3 

A.  1.1  committed 
A. 2.1  committed 

1»G4 

A.  1.2  committed 

@G5 

A. 2.2  committed 

@G6 

No  information 

Figure  1 1-2:  Information  Stored  at  Subactions'  Guardians. 


At  the  top  action's  guardian,  we  remember  (in  volatile  storage)  the  parts  of  the  tree 
that  are  not  stored  at  the  subactions'  guardians.  First,  there  is  a  data  structure 
called  the  plist  that  lists  the  participants.  Second,  there  is  the  aborts  Jist,  which  lists 
those  subactions  that  aborted  but  that  might  have  committed  descendants  at  other 
guardians.  For  the  action  tree  in  Figure  11-1,  we  have 

plist  =  (G2.  G3.  G5} 
abortsjist  -  {  A.1  } 

Notice  that  the  abortsjist  need  not  contain  aborted  subactions  that  have  no  remote 
descendants  (e.g..  A. 2. 3).  because  this  information  is  (effectively)  stored  at  the 
aborted  subaction's  guaidian.  Notice  also  that  the  abortsjist  need  not  contain  two 
subactions  whore  one  is  an  ancestor  of  the  other:  in  such  a  case  only  the  older  of  the 
two  subactions  need  be  remembered. 


2.2.  Constructing  the  Action  Tree 

While  an  action  is  running,  the  implementation  maintains  the  following  volatile 
information  for  it  at  i's  guardian: 

plist  The  list  of  guardians  visited  by  committed  descendants  of  this 

action,  where  all  mo  esters  of  the  descendant  up  to  tins  action 
have  committed  (i  c  the  descr  ndunt  commits  J  to  this  action). 

aborts. list  The  list  of  aborted  di-s- ondarits  of  tins  action  that  may  have 

committed  .)  .,  >  nd.int  .  at  other  guardians 
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A@G 

active 


committed  committed  committed  committed  aborted 


Figure  11-1:  An  Action  Tree  Just  Before  Committing  of  Top  Action  A. 

tree  were  sent  to  all  participants,  then  they  could  determine  which  of  the  subactions 
that  ran  locally  should  have  volatile  versions  written  to  stable  storage,  and  which 
should  have  their  volatile  versions  discarded.  For  example,  at  G3  it  would  be  known 
that  A.2.l's  volatile  versions  should  be  written  to  stable  storage,  but  A.I.I’s  versions 
should  be  discarded.  However,  the  tree  may  be  large,  so  we  have  chosen  a  different 
approach.  Rather  than  building  the  tree  at  the  top  action’s  guardian  as  the  top 
action  and  its  descendants  run,  we  keep  parts  of  the  tree  at  the  descendants' 
guardians.  Some  information  must  still  be  collected  at  the  top  action's  guardian,  but 
the  amount  of  information  is  reduced. 

Before  discussing  the  stored  information,  it  is  necessary  to  say  a  few  words  about 
action  identifiers  (aids).  The  action  identifier  of  a  subaction,  e.g.,  A. 2.2,  contains 
within  it  the  guardian  identifier  ( gid )  of  the  guardian  at  which  the  subaction  ran,  e.g., 
G5,  and  also  the  aids  of  all  the  ancestors  of  the  subaction,  e.g.,  A.2  and 
A.  Furthermore,  given  two  aids,  it  is  possible  to  tell  whether  one  is  an  ancestor  of  the 
other.  Thus  some  of  the  information  in  the  action  tree  is  stored  in  the  aids. 

Figure  8-2  shows  the  information  kept  at  the  guardians  where  descendants  ran  for 
the  action  tree  shown  in  Figure  8-1.  These  guardians  remember,  in  a  local,  volatile 
data  structure  called  committed,  those  handler  subactions  that  ran  at  the  guardian 
and  then  committed.  In  addition,  for  each  of  these  subactions,  the  guardian 
remembers  all  the  atomic  objects  on  which  the  subaction  holds  locks.  This 
information  is  used  to  determine  what  needs  to  be  written  to  stable  storage  during 
two-phase  commit  and  to  release  locks.  Handler  subactions  that  ran  at  the  guardian 
and  then  aborted  are  forgotten;  these  subactions  hold  no  locks  (the  locks  were 
released  at  the  time  of  the  abort)  and  no  information  need  be  written  to  stable 
storage  for  them. 
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subactions.  Each  individual  action  runs  at  a  single  guardian;  we  will  refer  to  this 
guardian  as  the  action's  guardian.  An  action  can  affect  other  guardians  by  means  of 
handler  calls.  A  distributed  computation  starts  as  a  top  action  at  some  guardian  and 
spreads  to  other  guardians  by  means  of  handler  calls,  which  are  performed  as 
subactions  of  the  calling  action.  A  handler  call  subaction  may  make  further  handler 
calls  to  other  guardians;  it  may  also  make  use  of  the  objects  at  its  own  guardian  and 
thus  acquire  locks  on  them  and  also  (if  it  modifies  the  objects)  cause  new  volatile 
versions  to  be  created.  Since  these  versions  are  in  volatile  storage,  they  will  be  lost 
if  their  containing  guardian  crashes  before  the  top  action  commits.  Therefore,  when 
a  top  action  commits,  a  distributed  commitment  procedure  must  be  carried  out  to 
guarantee  that  the  new  versions  of  objects  modified  by  descendants  of  that  action 
are  copied  to  stable  storage. 

In  this  section,  we  describe  how  the  distributed  transaction  system  is  implemented. 
We  begin  by  describing  a  model  of  actions  that  can  be  used  both  to  discuss  how 
actions  execute,  and  what  happens  when  actions  complete.  We  use  this  model  to 
describe  the  information  that  is  collected  at  guardians  as  the  action  and  its 
subactions  run,  how  this  information  is  used  during  distributed  commitment,  and 
how  locks  are  propagated  from  one  guardian  to  another. 

2.1 .  Action  Trees 

A  top  action  and  its  descendants  can  be  modeled  by  means  of  a  tree  structure 
called  an  action  tree.  The  root  of  the  tree  is  labeled  by  the  top  action;  the  interior 
nodes  are  labeled  by  descendant  subactions.  Only  subactions  appear  below  the 
root  of  the  tree;  a  nested  top  action  will  be  represented  by  its  own  tree.  Each  node  of 
the  tree  contains  information  about  the  state  of  its  action  (active,  committed  or 
aborted)  and  the  guardian  at  which  the  action  is  running  or  ran.  Figure  11-1  shows  a 
tree  that  might  exist  just  before  the  top  action,  A,  commits. 

A  subaction  is  said  to  have  committed  to  the  top  if  it  committed,  and  so  have  all  its 
ancestors  up  to,  but  not  including,  the  top  action.  For  example,  A. 2.1  committed  to 
the  top.  but  A. 1.1  and  A. 1.2  did  not.  When  a  top  action  commits,  it  is  necessary  to 
communicate  with  the  guardians  of  all  actions  that  committed  to  the  top.  The 
guardians  are  called  the  participants.  We  need  not  communicate  with  guardians  of 
actions  that  did  not  commit  to  the  top  (for  example,  guardian  G4  in  the  figure),  which 
is  fortunate  since  such  communication  may  be  impossible.  For  example,  the  reason 
A.i  aborted  may  have  been  because  a  network  partition  made  it  i  ipossible  to 
receive  the  results  from  G4. 

If  a  top  action's  tree  were  known  at  the  top  action's  guardian  when  the  top  action  is 
about  to  commit,  the  information  in  it  could  be  used  to  control  distributed 
commitment.  The  participants  can  bo  computed  from  the  tree,  and  if,  in  addition,  the 
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1.  INTRODUCTION 

This  year,  the  Programming  Methodology  Group  has  continued  to  study  the 
structure  and  execution  of  distributed  programs.  As  before,  our  work  has  focused 
on  the  design  and  implementation  of  the  Argus  language  and  system,  which  is  being 
developed  to  support  the  construction  and  execution  of  distributed  programs. 
During  the  past  year,  we  have  completed  the  design  of  a  preliminary  version  of 
Argus,  and  have  published  a  reference  manual  describing  this  initial  language  [16]. 

The  implementation  of  Argus  has  been  a  major  effort  this  year.  This 
implementation  is  being  carried  out  on  a  number  of  Vaxes  running  Berkeley  Unix  4.2 
and  connected  by  a  local-area  net.  This  year  we  succeeded  in  bringing  up 
guardians  in  isolation:  an  individual  guardian  can  now  run,  including  the  execution 
of  top  actions  and  subactions,  but  it  is  not  yet  possible  to  run  a  computation  that 
takes  place  at  many  different  guardians.  In  addition,  as  a  first  step  in  supporting 
distributed  computations,  we  implemented  a  communications  subsystem  that  runs 
on  top  of  IP  [20],  and  we  implemented  remote  procedure  calls  on  top  of  this 
substrate.  Finally,  as  we  implement  Argus  itself,  we  are  implementing  a  system  for 
debugging  Argus  programs  so  that  as  each  new  feature  of  Argus  is  executable, 
debugging  support  for  programs  using  that  feature  is  also  available. 

In  addition  to  our  work  on  Argus,  we  are  conducting  research  on  a  number  of 
topics  in  both  programming  methodology  and  distributed  computing.  Julie 
Lancaster  [13]  designed  a  naming  structure  for  a  program  development  system  that 
supports  version  control.  Our  work  in  distributed  computing  includes  orphan 
detection  algorithms,  data  replication  techniques  and  action  debugging  [4], 

In  the  following  sections  we  assume  some  familiarity  with  Argus;  an  overview  can 
be  found  in  [14],  Section  2  provides  an  overview  of  the  Argus  implementation, 
focusing  on  the  way  that  atomic  actions  are  implemented.  Section  3  discusses  our 
orphan  detection  algorithm,  and  then  describes  a  method  for  reducing  the  cost  of 
the  algorithm.  Section  4  includes  some  issues  concerning  atomic  data  types,  and 
Section  5  describes  a  new  replication  method  for  constructing  highly  available 
distributed  objects. 

2.  IMPLEMENTATION 

The  Argus  implementation  includes  an  operating  system  kernel  that  supports 
execution  and  scheduling  of  guardians  and  their  processes,  and  also  some  form  of 
message  communication.  In  addition,  it  contains  a  distributed  transaction  system, 
and  a  recovery  system. 

A  distributed  computation  in  Argus  consists  of  a  top  action  and  all  of  its 
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of  the  above  possibilities  inherently  involves  taking  any  action.  The  capability  to  take 
action  as  well  as  to  describe  the  world  is  very  important.  The  relationships  between 
description  and  action  are  quite  subtle. 

We  claim  that  actors  (unlike  lambda  expressions,  logical  implications,  etc.)  are  the 
universal  objects  of  concurrent  systems  and  that  they  can  serve  as  a  efficient 
interface  between  the  hardware  and  software.  Actors  provide  an  absolute 
conceptual  interface  between  the  software  and  hardware  of  parallel  computer 
systems.  The  function  of  the  hardware  is  to  efficiently  implement  the  primitive  actors 
and  the  ability  to  communicate  in  parallel.  Software  systems  in  turn  can  be 
implemented  in  terms  of  actors  completely  independently  of  the  hardware 
configuration.  The  actor  concept  itself  is  defined  mathematically  and  is  thus 
logically  independent  of  all  programming  languages  and  hardware  architectures.  A 
system  consisting  of  multiple  processors  ••  called  the  APIARY  --  is  being  developed 
to  use  the  inherent  parallelism  of  actor  systems  to  increase  the  efficiency  of 
computation  [18]. 

Message  Passing  Semantics  deals  coherently  with  both  doing  and  describing 
whereas  truth  theoretic  semantics  only  addresses  some  of  the  issues  of  describing. 
We  claim  that  it  is  impossible  to  implement  shared  resources  for  Open  Systems  in 
description  systems  such  as  first  order  logic  and  the  lambda  calculus  because  they 
lack  the  necessary  communication  capabilities. 

Oescriotion  languages  based  on  first  order  logic  and/or  the  lambda  calculus  have 
been  designed  to  express  properties  but  are  incapable  of  taking  action.  On  the 
other  hand  procedural  languages  (such  as  current  dialects  of  Lisp  and  Ada)  have 
been  designed  to  efficiently  take  action  but  they  suffer  from  a  lack  of  descriptive 
capabilities.  We  need  good  ways  to  integrate  the  roles  of  descriptions  and  actions  in 
our  systems.  Some  of  the  ideas  in  this  report  have  been  applied  to  the  analysis  of 
the  relationship  between  the  roles  of  descriptions  and  actions  in  organizational  work 
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Systems  independent  agents  can  incrementally  spawn  ongoing  computations  so  that 
the  environment  of  a  computation  is  not  fixed  when  a  computation  is  begun. 

7.  RELATED  WORK 

The  object-oriented  programming  languages  (e.g.,  [5][28][35]  and  [19])  are  built 
out  of  objects  (sometimes  called  "data  abstractions")  which  are  completely  separate 
from  the  procedures  in  the  language.  Similarly  the  lambda  calculus  programming 
languages  (e.g.,  [30][25][12][2]  and  [36])  are  built  on  functions  and  data  structures 
(viz.  lists,  arrays,  etc.)  which  are  separate.  SmallTalk  [20]  is  somewhat  a  special 
case  since  it  simplified  Simula  by  leaving  out  the  procedures  entirely,  i.e.  it  has  only 
classes.  The  Simula-like  languages  provide  effective  support  for  coroutines  but  not 
for  concurrency.  In  contrast  the  Actor  Model  is  designed  to  aid  in  conceptual 
modeling  of  shared  objects  in  a  highly  parallel  open  systems.  Actors  serve  to 
provide  a  unified  conceptual  basis  for  functions,  data  structures,  classes, 
suspensions,  futures,  procedure  invocations,  exception  handlers,  objects, 
procedures,  processes,  etc.  in  all  of  the  above  programming  languages  [3][27][15]. 
For  example  sending  a  request  communication  generalizes  the  traditiona'  procedure 
invocation  mechanism  which  requires  that  control  return  to  the  point  of  invocation. 
A  request  communication  contains  the  mail  address  of  a  customer  to  which  the 
response  to  the  request  should  be  sent  as  well  as  the  message  specifying  the  task  to 
be  performed.  In  this  way,  exception  handlers  [28][19]  and  co  routines  [5]  are 
conveniently  unified  with  other  more  general  control  structures.  The  Actor  Model 
unifies  the  conceptual  basis  of  the  lambda  calculus  and  the  object-oriented  schools 
of  programming  languages  -  being  mathematically  defined,  it  is  independent  of  all 
programming  languages. 

The  results  in  this  paper  are  intended  to  contrast  with  and  further  develop  the 
ideas  in  [23]  and  [34],  Both  of  the  above  systems  are  pragmatically  useful  and 
interesting  experiments  in  their  own  right.  Unfortunately,  neither  as  yet  has  a  well 
developed  mathematical  semantics  which  would  make  it  possible  to  directly  analyze 
them  as  we  have  done  for  the  lambda  calculus  and  first  order  logic.  To  the  extent 
that  Intermission  and  Concurrent  Prolog  are  based  on  first  order  logic  and  the 
lambda  calculus,  they  inherit  limitations  discussed  in  this  paper. 


8.  CONCLUSION 

The  fundamental  thesis  of  this  report  is  that  knowing  that  something  is  the  case 
and  taking  action  to  make  it  the  case  are  two  different  things  which  should  not  be 
confused.  Asserting  a  proposition  P  can  mean  that  we  have  established  that  P  is  the 
case  and  want  to  explicitly  record  this  in  the  data  base.  Or  it  can  mean  that  we  want 
to  declare  that  P  is  our  goal  and  we  will  devote  some  effort  to  establishing  it.  Neither 
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a  SharedAccount  can  then  concurrently  accept  an  Account  Balance  query  and 
reply  with  the  Completion  Report  for  the  Withdrawal  request. 

An  important  special  case  occurs  when  an  actor  can  never  change  its  local  state. 
Such  an  actor  is  called  unserialized  and  is  treated  specially  so  that  conceptually  it  is 
able  to  process  arbitrarily  many  messages  at  the  same  time.  Actors  such  as  the 
square  root  function  and  the  text  of  Lincoln's  Gettysburg  Address  are  unserialized. 

Another  unusual  aspect  is  that  there  are  no  assignment  commands.  Effects  are 
implemented  by  an  actor  changing  its  own  local  state  using  a  become  command 
[15].  We  model  change  by  actors  which  change  their  own  local  state.  Our 
conceptual  model  of  change  contrasts  with  the  usual  computer  science  notion  in 
which  change  is  modeled  by  updating  the  state  components  of  a  universal  global 
state  [31].  The  absence  of  the  existence  of  a  well  defined  global  state  is  a 
fundamental  difference  between  the  actor  model  and  classical  sequential  models  of 
computation  [39][9].  Actor  systems  can  perform  nondeterministic  computations  for 
which  there  is  no  equivalent  nondeterministic  Turing  Machine  [10].  The 
nonequivalence  points  up  the  limitations  of  attempting  to  model  parallel  systems  as 
nondeterministic  sequential  machines  [31].  This  is  not  to  say  that  actor  systems  can 
implement  functions  which  are  not  recursively  computable  (like  solving  the  Halting 
Problem).  Instead  the  point  is  that  recursive  functions  do  not  provide  an  adequate 
model  of  parallelism,  i.e.,  an  Open  System  cannot  be  adequately  modeled  as  a 
recursive  function  which  maps  global  states  to  global  states  because  at  any  given 
point  in  time  an  Open  System  does  not  in  general  have  a  well  defined  global  state. 
Will  Clinger  has  developed  an  elegant  mathematical  theory  (called  Actor  Theory) 
which  accounts  for  capabilities  of  actor  systems  which  go  beyond  those  of 
nondeterministic  Turing  Machines.  We  claim  that  nondeterministic  Turing  machines 
are  an  unsatisfactory  model  of  the  computational  capabilities  of  large-scale  open 
systems. 

Concurrency  in  Open  Systems  stems  from  the  parallel  operation  of  an 
incrementally  growing  number  of  multiple,  independent,  communicating  agents. 
Sites  can  join  an  Open  system  in  the  course  of  its  normal  operation  ••  sometimes 
even  affecting  the  results  of  computations  initiated  before  they  joined.  Actor  Theory 
has  been  designed  to  accurately  model  the  computational  properties  of  Open 
Systems.  It  is  a  consequence  of  the  Actor  Model  that  purely  functional  programming 
languages  based  on  the  lambda  calculus  cannot  implement  shared  accounts  in 
Open  Systems.  The  technique  promoted  by  Strachey  and  Milne  [31]  for  simulating 
some  kinds  of  parallelism  in  the  lambda  calculus  using  continuations  does  not  apply 
to  Open  Systems.  The  lambda  calculus  simulation  is  sequential  whereas  Open 
Systems  are  inherently  parallel.  Concurrency  in  the  lambda  calculus  stems  from  the 
concurrent  reduction/evaluation  of  various  parts  of  a  single  lambda  expression  with 
an  environment  which  is  fixed  when  the  lambda  expression  is  created.  In  Open 
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discussed  above  will  \irroneously)  prepare  in  this  case.  Such  a  situation  is  not  a 
problem  for  us  because  a#  orphan  detection,  which  is  described  in  Section  3. 

2.4.  Lock  Propagation 

Our  lock  propagation  rule  specifies  that  when  a  subaction  commits,  its  locks  and 
versions  are  propagated  to  its  parent;  when  it  aborts,  its  locks  and  versions  are 
discarded.  Propagation  of  an  object's  locks  and  versions  is  always  performed  at  the 
object’s  guardian.  In  addition,  we  carry  out  this  propagation  immediately  only  for 
local  actions.  For  example,  when  a  handler  action  commits,  we  do  not  propagate  its 
locks  and  versions  to  its  parent,  nor  do  we  communicate  with  the  guardians  of  its 
non-local  descendants  to  cause  the  appropriate  propagation  of  locks  for  their  local 
objects.  In  this  way  we  avoid  the  delays  that  such  communication  would  cause;  only 
when  top  actions  commit  is  this  communication  necessary. 

Since  communication  only  happens  when  top  actions  commit,  certain  problems 
can  arise.  For  example,  consider  the  action  tree  in  Figure  11-1.  How  does  guardian 
G4  discover  that  the  locks  held  by  A.  1.2  should  be  released?  A  related  problem  may 
occur  at  G3.  Suppose  that  A.  1.1  and  A.2.1  modify  the  same  object,  X.  Suppose 
further  that  A.1  and  A.2  are  actually  running  concurrently,  so  that  it  is  possible  that 
either  A. 1.1  or  A.2.1  may  get  to  G3  first.  If  A.1.1  modified  X  first,  then  before  A.2.1 
can  use  X,  we  must  discard  A.l.l’s  lock  and  version  of  X.  To  do  this,  we  must  learn  at 
G3  about  the  abort  of  A.1.  Alternatively,  if  A.2.1  modified  X  first,  then  before  A.1.1 
can  use  it  we  must  learn  about  the  commit  of  A.2,  and  propagate  the  lock  and 
version  of  X  to  A.  Only  then  can  A.1.1  use  X. 

We  solve  problems  like  these  by  means  of  loch  propagation  queries.  As  mentioned 
earlier,  when  a  handler  call  commits,  we  continue  to  keep  all  its  used  objects  locked 
on  its  behalf.  If  later  some  other  action  wants  to  use  the  locked  object,  the  object's 
guardian  will  send  a  query  to  determine  the  fate  of  the  handler  action  that  holds  the 
lock.  Such  a  query  will  be  sent  to  a  guardian  at  which  an  ancestor  of  the  handler 
action  ran.  Recall  that  the  aid  of  a  subaction  can  be  used  to  determine  the  aids  of 
the  ancestors  of  the  subaction  and  thus  the  guardians  of  the  ancestors. 

In  the  following,  we  discuss  two  actions,  H  and  R.  H  is  a  committed  handler  action 
that  holds  a  lock  on  some  object.  R  is  an  active  action  that  wants  to  acquire  a  lock 
on  that  object.  H  and  R's  guardian  will  send  a  query  to  some  other  guardian.  That 
other  guardian  will  respond  with  a  query  response  telling  what  it  knows,  and  H  and 
R's  guardian  will  then  act  on  that  information. 

There  are  two  situations  to  consider,  depending  on  whether  H  is  related  to  R  or 
not.  If  H  and  R  are  not  related,  then  H's  lock  can  be  broken  only  if  H  did  not  commit 
to  the  top  or  H's  top  action.  T,  aborted.  A  good  place  to  send  the  query  is  to  T's 
guardian.  GT.  There  are  the  following  possibilities  at  GT: 
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1)  T  is  not  known  at  GT.  and  the  query  response  so  indicates.  There  are 
two  possibilities  here:  T  aborted,  or  T  committed  but  two  phase  commit 
is  finished.  In  the  latter  case,  if  H  committed  to  the  top,  its  guardian  will 
have  already  discarded  its  locks  and  made  its  versions  the  current 
versions,  and  the  query  response  will  be  ignored.  If  H  still  holds  locks 
when  the  query  response  is  received,  its  locks  will  be  released  and  its 
versions  discarded. 

2)  T  is  in  the  second  phase  of  two  phase  commit.  Again,  there  are  two 
possibilities:  either  H's  guardian  is  not  a  participant,  or  it  is.  If  H’s 
guardian  is  a  participant,  it  will  either  be  in  phase  2  or  finished  with  two 
phase  commit  for  T  when  the  query  response  arrives,  and  will  ignore  the 
response;  otherwise,  it  will  discard  H’s  locks  and  versions. 

3)  If  T  is  active  or  in  phase  1,  but  H  is  a  descendant  of  some  action  in  T's 
aborts  Jist,  then  the  query  response  can  indicate  that  some  ancestor  of 
H  aborted.  In  this  case  H's  locks  and  versions  can  be  discarded. 

4)  If  T  is  in  phase  1,  but  H  is  not  a  descendant  of  some  action  in  the 
aborts  Jist,  then  we  can  discard  the  query,  since  H’s  guardian  is  about  to 
receive  appropriate  information  anyway  as  part  of  two-phase  commit. 

5)  If  T  is  active  and  H  is  not  a  descendant  of  some  action  in  the  aborts  Jist, 
then  the  query  cannot  be  resolved  yet.  In  this  case,  H's  guardian  cannot 
release  H's  locks;  it  can  query  to  GT  again  later,  or  it  could  query  to 
guardians  of  other  ancestors  of  H  to  try  to  discover  if  some  ancestor  of  H 
aborted.  This  additional  querying  is  useful  only  if  an  ancestor  of  H  is 
active  at  some  other  guardian;  such  information  can  be  included  in  the 
query  response. 

For  example,  suppose  that  A.  1.1  of  Figure  11-1  is  the  holder,  and  the  requester,  R, 
is  a  non  relative.  The  query  would  be  sent  to  G.  If  G  knows  nothing  about  A,  or  is  in 
phase  two  for  A,  or  A  is  active  or  in  phase  1  but  A.1  appears  in  the  aborts  Jist,  then 
G3  can  be  told  to  release  A.I.I’s  lock.  (In  fact,  all  of  A.l.l’s  locks  will  be  released 
and  its  versions  discarded  at  this  point.)  The  only  other  possibility  for  this  action  tree 
is  that  A.1  is  still  active;  in  this  case  G3  might  try  a  query  to  G1. 

The  second  situation  is  when  H  and  R  are  related.  In  this  case  we  are  interested  in 
an  ancestor  of  H  and  R  called  the  least  common  ancestor  (the  LCA).  The  LCA  is  the 
action  that  is  an  ancestor  of  both  H  and  R.  and  that  is  younger  than  all  other 
ancestors  of  H  and  R.  For  example,  for  the  action  tree  of  Figure  1 1  -1 ,  A. 2  is  the  LCA 
of  A. 2.1  and  A. 2.2.  while  A  is  the  LCA  of  A. 1.2  and  A. 2.2.  To  satisfy  R’s  request  for 
the  object,  we  must  learn  whether  or  not  H  committed  to  the  LCA.  If  H  did  commit  to 
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the  LCA,  its  locks  and  versions  can  be  propagated  to  the  LCA  and  then  R  can  obtain 
its  needed  lock.  Notice  that  in  this  case  R  will  observe  any  modifications  made  by 
H.  The  other  cases  are  described  below. 

So,  when  H  and  R  are  related,  a  query  is  sent  to  the  LCA’s  guardian.  There  are  the 
following  possibilities: 

1)  If  the  LCA  is  active  and  H  is  a  descendant  of  some  action  in  its 
aborts  Jist,  then  the  query  response  can  indicate  that  some  ancestor  of 
H  aborted.  In  this  case,  H’s  locks  and  versions  can  be  discarded,  and 
then  R  can  obtain  its  needed  lock. 

2)  If  the  LCA  is  active,  H  is  not  a  descendant  of  an  action  in  the  aborts  Jist, 
and  the  handler  call  that  gave  rise  to  H  has  completed,  then  the  query 
response  can  indicate  that  H  did  commit  to  the  LCA.  In  this  case,  H’s 
locks  and  versions  can  be  propagated  to  the  LCA  and  then  R  can 
acquire  the  needed  lock. 

3)  If  the  LCA  is  active  and  the  handler  call  that  gave  rise  to  H  is  still  active, 
then  the  query  cannot  be  resolved  at  the  LCA’s  guardian.  In  this  case 
H's  guardian  may  query  to  other  guardians  where  ancestors  of  H  are 
running. 

4)  Otherwise,  the  LCA  is  no  longer  active  at  its  guardian.  In  this  case,  the 
fate  of  H  is  not  known  at  the  LCA’s  guardian,  but  R  is  an  orphan.  We  will 
discuss  orphans  in  the  next  section.  When  H’s  guardian  receives  this 
response,  it  will  leave  H's  locks  and  versions  intact,  but  destroy  R  as 
discussed  below. 

It  is  worth  noting  that  queries  are  the  glue  that  holds  the  system  together.  For 
example,  when  a  handler  action  aborts,  we  may  choose  to  notify  guardians  where 
descendants  committed  about  the  abort,  but  this  is  strictly  an  optimization  to  avoid 
queries  later.  We  do  not  need  to  communicate  before  the  reply  message  for  the 
aborting  handler  is  sent  to  its  caller,  so  we  incur  no  delay  in  the  processing  of 
actions.  Instead  we  can  communicate  when  it  is  convenient,  for  example  when  the 
handler’s  guardian  is  not  doing  anything.  Furthermore,  we  need  not  try  very  hard  to 
communicate,  since  if  a  message  is  lost,  the  information  can  always  be  obtained  by  a 
query. 
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3.  ORPHANS 

An  orphan  is  any  active  action  whose  results  are  no  longer  wanted  (see  also  [19]). 
Orphans  arise  from  two  different  sources:  explicit  aborts  and  crashes.  Let  us 
consider  the  case  of  explicit  aborts  first.  One  way  aborts  happen  is  when  the  system 
determines  that  a  handler  call  cannot  be  completed  right  now.  As  mentioned  above, 
a  handler  call  causes  two  subactions  to  be  created,  and  the  call  action  will  commit 
only  after  it  has  received  the  handler's  reply  and  extracted  the  results  from  that  reply 
message.  This  can  occur  only  if  the  handler  action  has  actually  finished  and  either 
committed  or  aborted.  On  the  other  hand,  the  call  action  can  ahort  without  receiving 
a  reply  from  the  handler,  and  in  this  case  the  handler  action  (or  some  descendant  of 
it)  may  still  be  running  as  an  orphan. 

Aborts  also  happen  when  an  arm  of  a  coenter  exits  the  coenter  and  causes  other 
arms  to  abort.  The  local  subactions  that  correspond  to  these  other  arms  will  be 
terminated  when  this  occurs,  but  if  any  of  those  arms  is  waiting  for  a  handler  call  to 
complete,  we  abort  the  call  action  immediately  and  may  leave  an  orphan  at  some 
other  guardian. 

The  second  way  orphans  arise  is  due  to  crashes  For  example,  the  guardian 
making  a  call  may  crash,  leaving  the  handler  action  as  an  orphan.  Another 
possibility  is  the  following:  Suppose  subaction  S  running  at  guardian  GS  made  a  call 
to  guardian  GC.  Suppose  this  call  committed,  but  subsequently  GC  crashed.  In  this 
case  S  must  ultimately  abort,  because  it  depends  on  information  at  GC  that  has  now 
been  lost.  Therefore,  S  is  an  orphan. 

Since  S  is  an  orphan,  it  cannot  commit  and  therefore  none  of  its  changes  will 
become  visible  to  other  actions.  Nevertheless,  orphans  are  bad  for  two  reasons. 
Since  their  results  are  not  wanted,  they  are  wasting  resources.  For  example,  some 
other  action  may  be  delayed  because  an  orphan  holds  a  needed  lock.  In  addition, 
because  they  depend  on  locks  that  have  been  broken  (for  example.  S  depends  on 
locks  acquired  by  the  handler  call  to  GC),  there  is  a  danger  that  they  may  observe 
inconsistent  data.  Such  inconsistent  data  can  cause  a  program  that  behaves 
reasonably  when  the  data  is  consistent  to  behave  strangely;  for  example,  a  program 
that  would  ordinarily  terminate  may  loop  forever.  In  addition,  if  the  program  is 
interacting  with  a  user,  it  may  display  inconsistent  data  to  the  user. 

To  illustrate  this  problem  of  inconsistent  data,  consider  the  following  example. 
Suppose  guardian  V  replicates  the  data  stored  at  another  guardian  X.  The 
consistency  constraint  between  each  object  x  at  X  and  its  replica  y  at  Y  is  that  x  =  y. 
Now  consider  the  scenario  shown  in  Figure  1 1  -3:  First  suppose  that  top  action  S 
makes  a  call,  S.1,  to  guardian  X.  S.1  reads  x,  thus  obtaining  a  read  lock  on  x, 
displays  the  value  of  x  to  a  user  at  a  console,  and  then  commits.  Next  X  crashes  and 
subsequently  recovers;  however,  S.Vs  lock  on  x  has  been  lost.  Then  another  top 
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action  T  makes  a  call  to  X;  this  call,  T.1,  changes  the  value  of  x  to  x  +  1  and 
commits.  Next  T  makes  a  call  T.2  to  Y,  which  changes  y  to  y  +  1  (thus  preserving 
the  invariant)  and  commits.  Finally  T  commits,  so  the  locks  on  x  and  y  held  by  its 
descendants  are  released,  and  x  and  y  take  on  their  new  values.  Now  S  makes  a  call 
S.2  to  Y.  which  reads  the  new  value  of  y  and  displays  this  value  to  the  user  at  the 
console.  The  new  value  of  y  is  different  from  the  value  of  x  displayed  previously,  so 
the  user  has  seen  inconsistent  data. 

S  @  Gs:  T  @  Gt: 

S.1  @  X: 

display  x  to  user 
commit 

X  crashes  and  recovers . 


T.1  @  X: 
x  :  =  x  +  1 
commit 

T.2  @  Y: 
y  :=  y  +  1 
commit 

T  commits 


S.2  @  Y: 

display  y  to  a  user 


Figu  re  1 1  -3:  An  Orphan  Scenario. 

In  Argus,  we  guarantee  to  eliminate  orphans  quickly  enough  that  an  orphan  can 
never  observe  data  in  a  state  that  could  not  be  observed  by  a  non  orphan.  As  a 
result  of  this  guarantee,  it  is  not  necessary  to  worry  about  orphans  when  writing 
Aigus  programs.  For  example,  the  programmer  need  not  be  concerned  that  a 
program  might  expose  inconsistencies  of  the  sort  discussed  above  to  the  user. 

Our  method  of  detecting  orphans  is  to  send  extra  information  in  some  of  the 
messages  that  guardians  use  to  communicate,  namely,  call  and  reply  messages, 
prepare  messages,  and  queries  and  query  responses.  We  also  keep  extra 
information  at  each  guardian.  First  each  guardian  has  a  crash  count',  this  is  a  stable 
counter  that  is  incremented  after  each  crash.  In  addition,  the  guardian  maintains 
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two  stable  data  structures:  done  and  map.  Done  lists  all  actions  known  to  this 
guardian  that  may  have  orphans  somewhere.  Like  the  abortsjist,  it  is  not  necessary 
to  keep  two  actions  in  done  where  one  is  an  ancestor  of  the  other;  instead  only  the 
older  of  the  two  actions  need  be  kept.  Map  lists  all  guardians  known  to  this  guardian 
and  their  latest  known  crash  counts. 

In  each  message  we  include  done  and  map  of  the  sending  guardian,  and,  in 
addition,  the  dlist,  which  lists  the  guardians  depended  on  by  the  action  on  wnose 
behalf  the  message  is  being  sent.  Intuitively,  an  action  depends  on  a  guardian  if  a 
crash  of  that  guardian  would  cause  it  to  become  an  orphan.  The  guardians  an 
action  depends  on  can  be  computed  from  information  in  plists:  An  action  depends 
on  all  the  guardians  in  its  plist,  but  it  also  depends  on  all  guardians  listed  in  plists  of 
all  its  ancestors  at  the  time  it  was  created.  The  dlist  is  maintained  for  each  running 
action  (along  with  the  plist,  etc.). 

The  information  in  a  message  is  used  at  the  receiving  guardian  to  detect  and 
destroy  any  local  orphans  and  possibly  to  reject  the  incoming  message;  it  is  also 
merged  with  local  information  to  bring  that  information  more  up  to  date.  For 
example,  a  call  message,  C,  is  processed  as  follows: 

1) We  check  for  any  action  running  at  the  receiving  guardian  that  is  a 
descendant  of  an  action  in  C's  done,  or  that  depends  on  a  guardian 
whose  crash  count  in  C’s  map  is  higher  than  what  is  known  locally. 

Such  an  action  is  an  orphan.  These  orphans  are  destroyed  before  the 
call  message  is  acted  upon. 

2)  We  check  that  the  call  itself  is  not  being  performed  on  behalf  of  an 
orphan.  The  call  is  an  orphan  if  its  aid  is  a  descendant  of  some  action  in 
the  local  done,  or  if  any  guardian  in  C's  dlist  has  a  lower  crash  count  in 
C’s  map  than  in  the  local  map.  If  the  call  action  is  an  orphan,  we  send 
back  a  special  reply  rejecting  the  call. 

3)  Otherwise,  we  merge  C’s  map  and  done  with  the  local  map  and  done 
and  then  run  the  handler  action.  In  merging  the  maps,  if  the  two  maps 
disagree  about  the  crash  count  of  a  guardian,  the  higher  crash  count  is 
retained. 

Orphan  detection  will  prevent  the  problem  illustrated  by  the  scenario  in  Figure 
1 1  -3.  When  subaction  T.  1  of  T  runs  at  X,  X  has  a  higher  crash  count  than  it  did  when 
subaction  S.l  ran  there.  This  information  is  propagated  to  GT  in  the  reply  message 
of  T.1,  and  then  to  Y  in  the  call  of  T.2.  The  new  information  about  X’s  crash  count 
will  then  be  recorded  in  Y's  map.  Later,  when  the  call  of  S.2  arrives  at  Y,  it  will  be 
rejected  because  the  map  sent  in  this  call  will  contain  the  old  crash  count  for  X. 
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Notice  that  the  information  in  the  map  is  just  what  is  needed  to  correct  the  problem 
in  two-phase  commit  mentioned  earlier.  For  example,  consider  the  situation 
discussed  earlier,  in  which  A.2.1  committed,  then  G3  crashed  and  recovered,  and 
later  A.1.1  arrived.  There  are  two  possibilities,  if  A.1  and  A. 2  are  sequential  (in 
which  case  A.2  actually  ran  before  A.1),  then  A.1  depends  on  G3;  the  map  in  the  call 
message  for  A.1.1  will  list  G3’s  old  crash  count,  so  the  call  will  be  rejected  by  G3  as 
an  orphan.  Another  possibility  is  that  A.1  and  A.2  are  concurrent.  In  this  case, 
whichever  one  commits  to  A  first  indicates  one  crash  count  for  G3,  while  the  second 
one  to  commit  to  A  indicates  a  different  crash  count  for  G3.  In  either  case,  when  the 
second  one  commits  to  A,  A  will  be  recognized  as  an  orphan  and  aborted;  two  phase 
commit  will  not  be  carried  out. 

In  the  above,  we  discussed  how  orphans  are  detected,  but  simply  assumed  that  it 
was  a  simple  matter  to  destroy  an  orphan.  In  fact,  orphan  destruction  is  not  too 
difficult  in  Argus.  Any  process  within  a  guardian  can  be  destroyed  without  impact  on 
the  guardian's  data  provided  that  it  is  not  in  a  critical  section.  Since  the  action  of  the 
process  aborts,  this  ensures  that  any  modifications  to  atomic  objects  are  undone. 
(Note  that  we  do  rely  on  actions  sharing  only  atomic  objects;  this  restriction  is 
needed  if  the  actions  are  to  be  atomic.) 

Argus  processes  enter  critical  sections  in  two  ways:  explicitly,  by  gaining 
possession  of  special  built-in  objects  called  mutex  objects,  which  are  similar  to 
semaphores,  and  implicitly,  by  executing  some  system  code  that  runs  in  a  critical 
section.  For  example,  the  operations  on  the  built-in  atomic  objects  run  in  a  critical 
section  while  examining  the  current  status  of  the  object  (whether  it  is  locked  on 
behalf  of  some  action).  We  keep  track  for  each  process  of  whether  or  not  it  is  in  a 
critical  section.  If  it  is  not,  we  can  destroy  it  immediately  and  abort  its  action.  If  it 's, 
we  let  it  run  until  it  exits  its  critical  sections.  If  it  does  not  exit  its  critical  sections,  we 
can  always  crash  the  guardian  as  a  last  resort. 

3.1 .  Optimization  of  the  Orphan  Detection  Algorithm 

The  practicality  of  orphan  detection  depends  primarily  on  the  amount  of 
information  that  need  be  sent  in  messages.  Both  map  and  done  are  potentially  very 
large,  but  it  is  possible  to  limit  the  information  that  need  be  sent.  Below  we  describe 
a  technique  developed  by  Walker  [22]  for  reducing  the  sizes  of  both  map  and  done. 
We  describe  how  the  scheme  works  for  done,  and  then  discuss  how  it  can  be  used 
for  map. 

In  this  scheme,  every  action  is  assigned  a  done-deadline.  This  deadline  is  created 
whenever  a  top  action  is  created;  a  subaction  inherits  the  done-deadline  of  its 
parent.  The  deadline  is  some  time  in  the  future,  e.g.,  several  hours  after  the  top 
action  was  created  according  to  the  clock  of  the  creating  guardian. 
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All  guardians  guarantee  that  the  the  top  action  and  all  its  descendants  will  be 
destroyed  as  soon  as  the  done-deadline  is  reached.  Since  no  descendants  ot  an 
action  continue  to  run  once  the  deadline  is  passed,  it  is  not  necessary  to  keep  an 
action  identifier  in  done  once  that  action's  deadline  has  passed.  Thus,  the  length  of 
time  an  action  identifier  remains  in  done  is  limited. 

Of  course,  it  is  not  possible  for  all  guardians  to  recognize  that  descendants  of  an 
action  have  passed  their  deadlines  at  exactly  the  same  instant,  since  the  clocks  at 
different  nodes  cannot  be  exactly  the  same.  However,  we  can  accommodate  clock 
skew  provided  that  some  upper  bound  on  the  maximum  deviation  of  different 
guardians’  clocks  can  be  defined.  Thus  we  require  that  clocks  be  loosely 
synchronized.  It  is  not  difficult  with  today’s  technology  to  synchronize  clocks  to 
within  a  few  minutes  of  one  another,  even  in  a  large  system  [17]. 

The  actual  algorithm  takes  clock  skew  into  account.  When  a  guardian  discovers 
an  orphan  based  on  comparing  the  orphan's  done-deadline  with  its  local  clock,  it 
destroys  the  orphan.  However,  it  does  not  remove  action  identifiers  from  done  the 
instant  their  deadline  is  passed.  Instead,  action  identifiers  are  removed  from  done 
only  after 

D  +  epsilon 

where  D  is  the  action  done  deadline  and  epsilon  is  the  maximum  clock  skew. 

One  problem  with  the  above  algorithm  is  that  it  is  difficult  to  define  a  reasonable 
deadline  when  an  action  is  created.  If  the  deadline  chosen  is  very  large,  then  action 
identifiers  of  descendants  of  the  action  must  remain  in  done  a  very  long  time.  On  the 
other  hand,  if  the  deadline  is  small,  some  action  might  be  aborted  just  because  its 
deadline  passed,  even  though  it  is  not  an  orphan.  To  provide  a  more  flexible 
scheme,  Walker  describes  a  method  of  extending  deadlines.  (A  similar  method  is 
described  in  [1 1].)  Shortly  before  an  action  is  due  to  expire  because  of  its  deadline, 
its  guardian  can  query  to  determine  whether  the  action's  deadline  can  be  extended. 
The  response  to  this  query  indicates  either  that  the  action  is  an  orphan  or  contains  a 
new  deadline.  In  the  latter  case,  the  new  deadline  replaces  the  old  deadline  and  the 
action  continues  to  run. 

The  deadline  scheme  can  also  be  applied  to  the  map.  In  this  scheme,  there  is  a 
system-wide  map  deadline-interval.  Whenever  a  guardian  recovers  from  a  crash,  it  is 
entered  in  the  local  map  with  its  new  crash  count,  and  a  map-deadline  equal  to  its 
current  time  plus  the  deadline-interval.  In  addition,  when  a  top  action  is  created  it  is 
assigned  a  map-deadline  in  addition  to  the  done-deadline.  The  map-deadline  is 
equal  to  its  guardian's  current  time  plus  the  dead  line- interval.  The  map-deadline, 
like  the  done  deadline,  is  sent  in  all  messages  concerning  the  action,  so  all 
guardians  at  which  descendants  of  the  action  run  know  the  action's  map-deadline. 
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Whenever  a  guardian  detects  that  an  action  running  locally  is  past  its  map- 
deadline,  it  destroys  the  action.  Therefore,  the  system  guarantees  that  no 
descendants  of  an  action  run  past  the  map-deadline,  modulo  the  clock  skew. 

Since  no  actions  run  past  their  map-deadlines,  it  is  necessary  to  retain  an  entry  in 
map  only  until 

D  +  epsilon 

where  D  is  the  entry’s  mao  deadline  and  epsilon  is  the  maximum  clock  skew.  This 
scheme  works  for  the  following  reason.  Suppose  some  guardian  G  creates  a  top 
action  A  with  map  deadline  DA  and  then  crashes.  Note  that  all  descendants  of  A 
become  orphans  because  of  the  crash.  Subsequently  G  recovers  and  is  entered  in 
the  map  with  some  map  deadline  D.  No  matter  how  quickly  G  recovers,  it  recovers 
after  the  creation  of  A,  so 

Da<D 

Therefore,  the  entry  for  the  crashed  guardian  will  remain  in  the  map  long  enough  to 
permit  detection  of  descendants  of  A  as  orphans.  Notice  that  the  map  will  be 
propagated  just  as  in  the  unoptimized  algorithm.  If  the  map  containing  the  new 
crash  count  for  D  happens  to  reach  a  guardian  at  which  a  descendant  of  A  is 
running,  the  entry  for  D  will  still  be  stored  explicitly  in  the  map  because  DA  <  D. 

Just  as  was  the  case  with  the  done-deadline,  it  is  possible  to  extend  an  action’s 
map-deadline.  However,  if  crashes  are  rare  the  map- interval  can  be  very  large 
without  having  map  be  large.  Therefore,  it  is  probably  sufficient  to  have  a  large  map- 
interval  and  not  extend  the  map-deadline. 

Done-deadlines  for  actions  can  be  chosen  independently  at  each  guardian. 
However,  such  flexibility  does  not  exist  for  the  map-interval.  For  example,  consider 
the  situation  shown  in  Figure  11-4.  Here  top  action  A  was  created  at  G.  Its 
descendant  A.1  was  running  at  H,  and  A.I's  descendant  A.1.1  was  running  at  I  at  the 
time  H  crashed.  When  H  recovers,  it  must  be  entered  in  the  map  with  a  map- 
deadline  greater  than  the  map-deadline  of  A.1 .1 .  The  only  way  to  guarantee  this  is  to 
have  H’s  map-interval  be  at  least  as  big  as  G's.  This  requirement  poses  a  problem  if 
there  is  ever  a  need  to  change  the  map-interval.  It  is  possible  to  increase  the  map- 
interval  and  have  the  change  propagated  incrementally  throughout  the  system,  but 
decreasing  the  map- interval  is  much  more  difficult. 

It  is  too  early  to  predict  how  well  the  deadline  scheme  will  work.  Walker  performed 
an  analysis  (see  [22])  that  indicated  the  scheme  will  work  well  under  "typical” 
system  load.  This  analysis  is  based  on  assumptions  about  what  a  typical  load  is.  for 
example,  how  often  guardians  create  top  actions  and  how  often  aborts  happen.  If 
these  assumptions  are  correct,  then  the  scheme  will  be  successful.  However,  since 
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Figure  1 1  -4:  An  Orphan  Example. 


the  Argus  implementation  is  not  yet  finished,  it  is  too  early  for  us  to  validate  the 
assumptions.  This  will  be  possible  only  when  statistics  can  be  collected  about  the 
actual  use  of  Argus. 

4.  SPECIFICATION  AND  IMPLEMENTATION  OF  ATOMIC  TYPES 

An  atomic  data  type,  like  a  regular  abstract  data  type  [15],  provides  a  set  of  objects 
and  a  set  of  operations.  An  atomic  type  is  an  abstraction,  and  hence  is  described  by 
a  specification ;  it  may  be  implemented  by  a  program.  As  with  regular  abstract  types, 
the  operations  provided  by  an  atomic  type  are  the  only  way  to  access  or  manipulate 
the  objects  of  the  type.  Unlike  regular  types,  however,  an  atomic  type  provides 
serializability  and  recoverability  for  activities  that  use  objects  of  the  type.  Argus 
provides  a  number  of  built  in  atomic  types,  anu  in  addition  provides  facilities  that 
permit  users  to  implement  now  atomic  types  (see  [24]). 

VVeihl  [23]  studied  the  pioblems  of  specifying  and  implementing  atomic  data  types. 
In  particular,  he  addressed  three  fundamental  questions: 

•  Wh  it  is  an  atomic  type? 

We  need  a  precise  characterization  of  the  behavior  of  atomic  types.  For 
example,  we  need  to  know  how  much  concurrency  can  be  allowed  by  an 
atomic  type. 

•  How  do  we  specify  an  atomic  type ? 

What  aspects  of  the  typo's  behavior  must  appear  in  the  specification  of 
an  atomic  type,  and  how  should  the  specification  be  structured? 

•  How  do  we  impt  ■ enf  an  atomic  type? 

What  problems  st  be  solved  in  implementing  an  atomic  type,  and 
what  kinds  of  programming  language  constructs  make  this  task  simpler? 

Tu  answer  the  first  two  questions  existing  work  on  concurrency  control  (or 
serializability)  was  generalized  in  three  ways: 

•  The  definition  of  atomicity  is  data  dependent:  It  is  based  on  an  explicit 
specification  of  the  desired  behavior  for  the  data  types  shared  by 
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activities.  This  is  crucial  in  achieving  the  concurrency  required  by 
applications. 

•  The  definition  of  atomicity  is  integrated:  Both  serializability  and 
recoverability  are  treated.  This  facilitates  the  description  and 
verification  of  implementations  of  atomic  types,  which  necessarily  must 
cope  with  both. 

•  The  focus  is  on  modularity  issues:  Local  properties  of  individual  objects 
that  ensure  atomicity  of  activities  are  identified,  and  conditions  under 
which  different  kinds  of  objects  can  be  combined  in  a  single  system 
while  preserving  atomicity  of  activities  are  described. 

Weihl  explored  three  local  properties,  each  of  which  is  optimal:  No  strictly  weaker 
local  property  suffices  to  ensure  atomicity.  The  three  properties  characterize 
respectively  the  behavior  of  three  classes  of  protocols:  two-phase  locking  protocols 
(e.g.,  see  [6],  [18]),  in  which  the  serialization  order  of  activities  is  determined  by  the 
order  in  which  they  access  objects;  mu/ti-version  timestamp- based  protocols  (e.g., 
see  [21]),  in  which  the  serialization  order  of  activities  is  determined  by  a  pre¬ 
determined  total  order;  and  hybrid  protocols  (e.g.,  see  [1],  [3],  [5]),  which  use  a 
combination  of  these  techniques. 

Weihl  also  presented  a  novel  locking  protocol  and  verified  its  correctness.  His 
protocol  generalizes  previously  existing  protocols  in  two  ways:  First,  it  permits  the 
results  of  operations,  as  well  as  their  arguments,  to  be  used  in  determining  the 
appropriate  lock  mode.  This  extra  information  can  be  used  to  allow  greater 
concurrency.  Second,  the  protocol  handles  partial  and  non-deterministic 
operations.  It  thus  has  a  wider  range  of  application  than  previously  existing 
protocols,  which  require  operations  to  be  both  total  and  deterministic.  In  addition, 
the  implementation  of  both  synchronization  and  recovery  are  described  and  verified; 
descriptions  of  previously  existing  protocols  are  limited  to  synchronization  alone. 

Weihl's  approach  to  specifying  atomic  types  permits  the  programmer  of  an 
individual  activity  to  ignore  how  atomicity  is  achieved.  To  reason  about  whether  an 
individual  activity  preserves  consistency,  one  needs  only  the  serial  specification  of 
each  type  used  by  the  activity,  and  the  knowledge  that  activities  are  atomic;  one 
need  not  know  how  types  cooperate  to  ensure  atomicity. 

In  addition,  Weihl’s  specification  framework  supports  an  approach  that  permits  the 
concurrent  specification  of  a  type  to  be  derived  systematically  from  a  specification  of 
its  sequential  behavior.  Thus,  the  problem  of  specifying  a  type  is  reduced  to  the 
simpler  problem  of  specifying  how  it  should  behave  in  the  absence  of  concurrency. 

Finally,  several  example  implementations  of  atomic  types  are  presented  in  [23], 
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illustrating  how  existing  techniques  for  synchronization  and  recovery  can  be 
extended  to  use  information  about  the  specifications  of  objects  to  increase 
concurrency.  Linguistic  support  for  atomic  types  is  also  explored  through  an 
analysis  of  the  advantages  and  disadvantages  of  several  alternative  approaches. 

In  the  remainder  of  this  section  we  describe  informally  one  of  the  local  atomicity 
properties  explored  by  Weihl,  and  discuss  how  it  relates  to  two-phase  locking 
protocols. 


4.1 .  Description  of  Dynamic  Atomicity 

Atomic  activities  are  characterized  by  two  properties:  serializability  and 
recoverability.  Serializability  means  that  the  concurrent  execution  of  a  group  of 
activities  is  equivalent  to  some  serial  execution  of  the  same  activities.  Recoverability 
means  that  each  activity  appears  to  be  all-or-nothing:  Either  it  executes  successfully 
to  completion  (in  which  case  we  say  that  it  commits),  or  it  has  no  effect  on  data 
shared  with  other  activities  (in  which  case  we  say  that  it  aborts). 

The  problem  in  defining  a  local  property  of  objects  that  ensures  global  atomicity  of 
activities  is  illustrated  by  the  following  example.  Consider  a  system  containing  two 
objects,  x  and  y,  each  with  read  and  write  operations,  and  each  with  initial  value  0. 
Suppose  that  x  is  implemented  using  two-phase  locking,  and  y  is  implemented  using 
multi  version  timestamping.  Now  suppose  there  are  two  activities  a  and  b,  with 
timestamps  1  and  2,  respectively.  Consider  the  following  execution: 

b  reads  x,  receiving  0. 
b  writes  1  into  y. 
b  commits. 

a  reads  y,  receiving  0. 
a  writes  1  into  x. 
a  commits. 

This  execution  is  not  serializable:  In  a  serial  execution,  the  second  activity  should 
see  the  value  written  by  the  first,  but  both  a  and  b  read  the  initial  values  of  one  of  the 
objects.  However,  the  execution  is  atomic  at  each  object:  At  x,  b  is  serializable 
before  a,  and  at  y,  a  is  serializable  before  b.  In  a  sense  we  have  an  agreement 
problem:  For  activities  to  be  atomic,  the  objects  in  the  system  must  agree  on  at  least 
one  serialization  order  for  the  committed  activities.  In  this  case  x  and  y  do  not  agree 
on  a  serialization  order  for  a  and  b,  and  atomicity  is  violated.  Achieving  agreement 
can  be  difficult  because  each  object  is  aware  of  only  the  events  in  which  it 
participates.  In  other  words,  each  object  has  purely  local  information;  no  object  has 
complete  information  about  the  global  computation  of  the  system.  One  can  imagine 
building  a  system  in  which  objects  have  more  global  information;  however,  such  an 
organization  suffers  from  lack  of  modularity. 


159 


PROGRAMMING  METHODOLOGY 


The  reason  that  x  and  y  do  not  agree  on  a  serialization  order  in  this  example  is  that 
they  use  incompatible  protocols  to  ensure  atomicity.  If  both  objects  used  two- phase 
locking,  or  both  used  multi  version  timestamping,  the  above  execution  could  not 
occur  and  atomicity  would  be  guaranteed.  Our  goal  in  defining  a  local  atomicity 
property  is  to  ensure  that  activities  are  atomic  whenever  all  objects  shared  by  the 
activities  satisfy  the  local  atomicity  property.  Note  that  any  such  local  atomicity 
property  must  be  satisfied  by  at  most  one  of  the  objects  x  and  y.  The  property 
dynamic  atomicity,  described  below,  ensures  global  atomicity  by  ruling  out  objects 
like  y  while  allowing  objects  like  x. 

Dynamic  atomicity  characterizes  the  behavior  of  objects  implemented  with 
protocols  like  two-phase  locking,  in  which  the  serialization  order  of  activities  is 
determined  dynamically  based  on  the  order  in  which  activities  access  objects.  The 
essence  of  such  protocols  is  the  notion  of  delay:  If  the  steps  executed  by  one 
activity  conflict  with  the  steps  executed  by  another  activity,  then  one  of  the  activities 
must  be  delayed  until  the  other  has  committed.  As  discussed  in  [23],  an 
implementation  of  dynamic  atomicity  need  not  actually  delay  activities  to  achieve  this 
effect.  All  that  is  necessary  is  that  the  overall  effect  for  committed  activities  be  as  if 
conflicts  were  resolved  by  delays.  Indeed,  most  optimistic  protocols  (e.g.,  see  [10]) 
resolve  conflicts  by  aborting  some  activities  when  they  try  to  commit,  but  the  overall 
effect  is  as  required  by  dynamic  atomicity. 

Weihl  captures  this  notion  of  delay  more  precisely  as  follows:  Given  an  execution 
h,  define  the  relation  precedes{h)  to  contain  all  pairs  <a,  b>  (where  a  and  b  are 
activities)  such  that  some  operation  invoked  by  b  in  h  terminates  after  a  commits  in 

/t.1 

We  can  illustrate  this  notion  by  means  of  example  executions.  In  the  examples, 
suppose  x  is  a  set  object  with  two  operations,  insert  (to  insert  a  new  element)  and 
member  (to  determine  whether  a  given  element  is  in  x).  in  example  executions, 
events  are  denoted  by  triples,  indicating  the  type  of  the  event,  the  object  at  which  it 
occurred,  and  the  activity  involved.  Thus,  for  example,  the  triple  <insert(2),x,a> 
denotes  the  invocation  of  the  insert  operation  with  argument  2  at  object  x  by  activity 
a.  Similarly,  the  triple  <ok,x,a>  denotes  the  termination,  with  result  "ok,"  of  an 
operation  invoked  by  a  on  x. 

Now  let  h  be  the  following  execution: 


Note  that  there  is  a  distinction  between  an  activity  completing  by  committing  or  aborting,  and  an 
operation  terminating  by  returning  information  An  activity  may  execute  any  number  o(  operations 
before  completing.  In  addition,  it  is  possible  for  b  to  commit  after  a  in  h,  yet  for  all  of  O' s  operations  to 
terminate  before  a  commits,  in  this  case  the  pair  <a  .h>  is  not  in  precedes(h). 
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(insert(2),x,a> 

<ok,x,a> 

<member(3),x.b> 

<false,x,b> 

<commit,x,b> 

<commit,x.a> 

Then  precedes(h)  is  the  empty  relation  (no  operation  invoked  by  a  or  b  terminates 
after  the  other  activity  commits).  However,  if  h  is  the  execution 

<insert(2),x,a> 

<ok,x,a> 

<member(3),x,b> 

(commit,  x,a> 

(false, x,b> 

(commit,x,b> 

then  precedes(h)  contains  the  pair  <a,b>. 

The  relation  precedes(h)  captures  our  intuitive  notion  of  delay:  If  b  is  delayed  until 
after  a  commits  in  an  execution  h,  then  (a,b>  will  be  in  preccdes(h).  Thus,  if  two 
committed  activities  conflict,  dynamic  atomicity  requires  one  of  them  to  "precede" 
the  Other.  Turning  this  statement  around,  if  neither  <a.b>  nor  <b.a>  is  in  preccdes(h), 
then  a  mid  b  must  not  conflict  in  h.  In  other  words,  they  must  be  serializable  in  the 
order  a  followed  by  b  (written  ab)  and  in  the  order  b-a.2 In  general,  dynamic 
atomicity  requires  all  executions  h  permitted  by  an  object  to  satisfy  the  following 
property:  The  committed  activities  in  h  must  be  serializable  in  all  total  orders 
consistent  with  precedes {h)3 

For  example,  the  following  execution  h  is  atomic,  but  does  not  satisfy  the 
requirements  for  dynamic  atomicity: 


p 

Serinlizahility  is  defined  with  respect  In  the  specifications  of  the  obiects  involved  A  Instory  />  can 
he  serialized  in  a  given  order  if  the  specifications  of  the  ohiocts  permit  the  activities  in  h  to  be 
e*.  ruled  serially  m  that  order  so  that  they  invoke  the  same  operations  as  in  h  and  receive  the  same 
results 

'^As  noted  in  |?3)  natural  restrictions  on  elocutions  guarantee  that  the  "precedes”  relation  is  a 
partial  order,  ensuring  that  there  are  total  orders  consistent  with  it 
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concurrency  control  method  employing  state  information.  This  method  is  general:  it 
can  be  used  to  implement  any  concurrency  control  scheme  that  preserves 
serializability,  but  at  the  potential  cost  of  increased  message  traffic  and  additional 
constraints  on  availability. 

Herlihy’s  reconfiguration  technique  allows  the  availability  properties  of  replicated 
data  to  be  changed  dynamically.  The  ability  to  reconfigure  incurs  a  negligible  cost 
when  it  is  not  used.  When  an  object  is  actually  reconfigured,  the  technique  imposes 
a  cost  in  the  form  of  a  temporary  period  of  increased  message  traffic  and  reduced 
availability.  A  replicated  reference  counting  scheme  is  introduced  to  discard 
information  rendered  obsolete  by  reconfiguration. 

Herlihy  also  developed  an  extension  to  the  method  that  increases  availability  in  the 
presence  of  partitions.  This  technique  preserves  serializability,  but  not  external 
consistency.  It  does  not  require  explicit  partition  detection  or  static  transaction 
classes,  it  is  independent  of  the  concurrency  control  method,  and  it  imposes 
negligible  costs  when  it  is  not  used. 
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If  queues  were  implemented  in  terms  of  files,  then  files  must  be  read  and  written  to 
implement  both  Enq  and  Deq.  leading  to  the  quorum  choices  shown  in  Figure  11-6. 
However,  the  dependency  relation  for  queues  allows  more  freedom  in  choosing 
quorums,  as  is  shown  Figure  11-7.  (In  this  figure,  we  distinguish  Deq  events  that 
terminate  normally  from  those  that  terminate  abnormally,  since  different  final 
quorums  can  be  used  in  the  two  cases.)  This  extra  flexibility  can  be  used  to  increase 
the  availability  of  the  Enq  operation  at  the  expense  of  decreased  availability  of  the 
Deq  operation.  Such  a  tradeoff  would  allow  clients  of  a  printer  service  to  continue 
queuing  requests  for  printing  even  when  the  device  itself  is  down. 


Enq  (3,3) 

Normal  Deq  (3,3) 

Abnormal  Deq  (3,0) 


Figu  re  11-6:  Quorum  Choices  Available  for  Queues  Implemented  by  Files. 


Enq 

Normal  Deq 
Abnormal  Deq 


(0,1)  (0,2)  (0,3) 
(5,1)  (4,2)  (3,3) 
(5,0)  (4,0)  (3,0) 


Figu  re  11-7:  Quorum  Choices  for  Queues  Implemented  by  Logs. 


5.3.  Additional  Results 

In  addition  to  developing  the  basic  replication  method,  Herlihy  also  extended  the 
method  to  include  concurrency  control,  to  allow  the  system  to  be  reconfigured,  and 
to  permit  continued  execution  in  the  presence  of  partitions. 

Although  the  method  permits  replication  and  concurrency  control  to  be 
implemented  independently,  as  was  assumed  above,  a  higher  level  of  concurrency 
can  be  supported  if  the  concurrency  control  method  is  integrated  with  the 
replication  method.  Herlihy  developed  a  simple  and  efficient  concurrency  control 
method  based  on  predefined  operation  conflicts.  This  method  is  optimal  for  the 
amount  of  information  it  uses:  no  concurrency  control  method  based  exclusively  on 
predefined  conflicts  can  support  a  higher  level  of  concurrency.  Nevertheless,  the 
method  has  two  disadvantages:  because  it  does  not  take  advantage  of  state 
information,  it  is  inherently  limited  in  the  level  of  concurrency  it  can  support,  and  it 
provides  poor  support  for  partial  operations. 

To  remedy  these  shortcomings,  Herlihy  also  developed  a  more  powerful 
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Informally,  a  request  depends  on  an  event  if  omitting  that  event  from  a  request's 
view  might  produce  an  incorrect  response.  For  example,  consider  files  with  the 
standard  read  and  write  operations.  Read  requests  depend  on  (all)  Write  events 
(events  whose  request  part  is  a  write),  because  the  correct  response  to  Read 
requires  knowledge  of  prior  Write  events.  Write  requests  do  not  depend  upon  prior 
Read  or  Write  events,  because  the  response  to  the  Write  is  always  the  same. 
Similarly,  Deq  requests  depend  on  prior  Enq  and  normal  Deq  events  ( Deq  events  that 
return  an  item),  because  knowledge  of  these  events  is  needed  to  determine  which 
item  to  dequeue.  Enq  requests  do  not  depend  on  any  prior  events,  because  Enq ,  like 
Write,  has  only  one  possible  response.  Expressing  the  dependency  relation  in  terms 
of  events  allows  a  request  to  depend  on  just  a  subset  of  the  events  associated  with  a 
single  operation. 

Constraints  on  quorum  intersections  can  be  derived  from  the  dependency  relation 
as  follows:  To  carry  out  a  request,  the  initial  quorum  must  intersect  with  the  final 
quorum  of  all  operation  executions  leading  to  events  depended  on  by  the  request.  It 
can  be  shown  that  choosing  quorums  in  this  manner  leads  to  a  correct 
implementation,  and  that  no  weaker  set  of  constraints  can  guarantee  correctness. 

For  example,  the  initial  quorum  lor  a  read  request  must  intersect  the  final  quorum 
for  every  execution  of  a  write  operation,  since  read  depends  on  all  write  events. 
However,  the  initial  quorum  of  a  write  request  needs  to  intersect  nothing,  since  a 
write  request  depends  on  no  events.  The  possible  quorum  choices  for  five  DM  sites 
are  shown  in  Figure  1 1  -5. 


Read  (1,0)  (2,0)  (3,0)  (4,0)  (5,0) 

Write  (0,5)  (0,4)  (0,3)  (0,2)  (0,1) 

Figure  1 1  -5:  Quorum  Choices  for  Files  Replicated  at  Five  Nodes. 

In  this  figure,  each  row  shows  possible  choices  for  the  initial  and  final  quorums  for 
a  set  of  events:  the  row  is  labeled  to  identify  the  set  of  events.  Thus  "read"  refers  to 
all  events  associated  with  executions  of  the  read  operation,  while  "write"  refers  to  all 
events  associated  with  executions  of  the  write  operation.  Each  column  shows  a  set 
of  consistent  choices  for  all  the  rows.  Thus,  if  in  carrying  out  a  read  request  we  read 
from  an  initial  quorum  consisting  of  two  DM’s  (and  write  to  none),  then  in  performing 
a  write  operation  we  must  write  to  a  final  quorum  consisting  of  four  DM’s.  In  any 
given  system,  one  of  the  columns  must  be  chosen. 

By  providing  direct  support  for  objects  of  arbitrary  abstract  type,  our  replication 
method  imposes  fewer  constraints  on  quorum  choice  than  existing  replication 
methods  based  on  files.  For  example,  consider  the  queue  object  discussed  above. 
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some  action  A  would  not  be  visible  to  other  operations  that  use  that  log  on  behalf  of 
other  actions  until  A  terminates.  Furthermore,  if  A  aborts,  then  its  modifications  to 
the  log  would  be  undone. 

As  mentioned  above,  an  entry  in  the  log  records  an  operation  that  has  been 
applied  to  the  object.  Each  log  entry  is  stamped  with  a  unique  timestamp.  This 
timestamp  is  selected  by  the  concurrency  control  system  in  such  a  way  that  the 
timestamps  define  a  total  order  that  is  consistent  with  the  serialization  order  of  the 
actions  that  cause  the  operations  to  be  executed.  For  example,  if  logs  were 
implemented  as  built-in  atomic  objects  of  Argus,  then  timestamps  would  be  chosen 
as  part  of  two-phase  commit,  and  written  into  their  associated  entries  automatically 
as  part  of  phase  2. 

An  operation  is  executed  in  the  following  four  steps. 

1 )  When  a  TM  receives  a  request  from  a  client,  it  reads  the  logs  from  an 
initial  quorum  of  DM's  for  that  request.  These  logs  are  merged  in 
timestamp  order  to  construct  a  larger  log  called  a  view. 

2)  The  TM  chooses  a  response  consistent  with  the  object  state  as  defined 
by  the  view. 

3)  The  TM  records  the  request  and  response  by  appending  a  new  entry  to 
the  view,  and  sending  the  modified  view  to  a  final  quorum  of  DM’s  for 
that  event.  Each  DM  in  the  final  quorum  merges  the  view  with  its 
resident  log. 

4)  The  response  is  returned  to  the  client. 

An  analysis  of  the  algebraic  structure  of  an  object's  type  is  used  to  derive  a 
dependency  relation,  which  can  then  be  used  to  derive  a  set  of  constraints  on 
quorum  intersections.  The  basic  idea  is  that  to  carry  out  a  request  to  execute  an 
operation,  it  is  necessary  to  observe  the  effects  of  some  of  the  operation  executions 
that  occurred  in  the  past.  A  dependency  relation  thus  relates  a  request  to  a  set  of 
past  executions.  This  notion  of  past  executions  is  expressed  in  terms  of  events, 
which  are  request  response  pairs. 

For  example,  consider  a  queue  object  with  an  Enq  operation  to  enqueue  an  item  at 
the  head  of  a  queue  and  a  Deq  operation  to  dequeue  an  item  from  the  tail  of  the 
queue.  The  Enq  operation  always  terminates  normally;  an  execution  of  Enq  is 
represented  by  an  event  <Enq(x),  ok>.  The  Deq  operation  terminates  normally  if  the 
queue  is  non  empty,  leading  to  an  event  of  the  form  <Deq(),  ok(x)>;  however,  if  the 
queue  is  empty  the  operation  terminates  abnormally,  described  by  an  event  of  the 
form  <Deq(),  empty). 
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can  be  detected  by  the  absence  of  a  response,  we  do  not  assume  that  the  different 
kinds  of  failure  can  be  distinguished:  the  absence  of  a  response  may  indicate  that 
the  original  message  was  lost,  that  the  reply  was  lost,  that  the  recipient  has  crashed, 
or  simply  that  the  recipient  is  slow  to  respond. 

The  basic  containers  for  data  are  called  objects.  Each  object  has  a  type ,  which 
characterizes  its  behavior  by  defining  a  set  of  possible  states  together  with  a  set  of 
primitive  operations  that  provide  the  (only)  means  to  create  and  manipulate  objects 
of  that  type.  Each  type  has  an  accompanying  specification  that  gives  the  meaning  of 
the  operations  provided  by  the  type.  A  replicated  object  is  an  object  whose  state  is 
stored  redundantly  at  multiple  sites. 

Replicated  objects  a<e  implemented  by  two  kinds  of  modules:  Data  Managers 
(DM's)  and  Transaction  Managers  {TM's).  (Both  the  TM's  and  DM’s  could  be  Argus 
guardians.)  The  object’s  state  is  replicated  among  the  DM’s  and  managed  by  the 
TM’s.  DM's  serve  as  long  term  repositories  for  the  object’s  state,  while  TM's  execute 
the  object's  operations  on  behalf  of  the  object's  clients.  To  apply  an  operation  to  a 
replicated  object,  a  client  sends  a  request  to  a  TM  for  the  object.  The  TM  reads  the 
data  from  some  collection  of  DM’s,  carries  out  a  local  computation,  sends  updates  to 
some  collection  of  DM’s,  and  returns  a  response  to  the  client.  Each  operation  is 
executed  atomically. 

An  operation’s  availability  to  a  client  depends  on  two  factors:  the  client  must  first 
be  able  to  locate  a  TM  for  the  object,  and  the  TM  must  in  turn  locate  enough  DM's  to 
carry  out  the  operation.  Because  the  TM’s  do  not  interact  directly  with  one  another, 
new  TM’s  can  be  created  without  affecting  existing  ones.  Consequently,  TM’s  can 
be  replicated  to  an  arbitrary  extent,  implying  that  the  availability  of  the  replicated 
object  is  determined  by  the  availability  of  the  DM’s. 

5.2.  The  Replication  Method 

Unlike  most  other  replication  methods,  the  object  is  not  represented  by  a  collection 
of  copies;  instead,  each  DM  maintains  a  partial  log  of  the  operations  that  have  been 
applied  to  the  object.  The  method  is  based  on  the  notion  of  a  quorum,  which  is  a  set 
of  DMs.  Associated  with  each  operation  are  a  set  of  initial  quorums  and  a  set  of  final 
quorums.  To  execute  the  operation,  it  is  necessary  to  read  the  logs  from  all 
members  of  one  of  the  initial  quorums,  and  update  the  logs  of  all  members  of  one  of 
the  final  quorums. 

In  the  following  we  assume  that  concurrency  control  is  implemented  independently 
of  the  replication  method.  This  could  be  accomplished  by  having  each  log  be  a  built- 
in  atomic  object  of  Argus.  In  this  case  the  system  would  manage  read  and  write 
locks  for  the  logs,  and  changes  made  by  one  operation  to  some  log  on  behalf  of 
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5.  REPLICATION 

Replicated  data  is  data  that  is  stored  redundantly  at  multiple  locations  in  a 
distributed  system.  Replication  can  enhance  the  availability  of  data  in  the  presence 
of  failures,  increasing  the  likelihood  that  the  data  will  be  accessible  when  it  is 
needed.  Replication  is  needed  to  implement  distributed  programs  in  which  a  high 
level  of  availability  is  important,  such  as  banking  systems,  airline  reservation 
systems,  authentication  servers,  and  mail  systems. 

Herlihy  [8]  has  developed  a  new  method  for  managing  re  plicated  data.  Unlike 
many  methods  that  support  replication  only  for  uninterpreted  files,  his  method  makes 
use  of  type-specific  properties  of  objects  (such  as  sets,  queues,  or  directories)  to 
provide  more  effective  replication.  The  method  is  both  general  and  systematic.  It  is 
general  because  it  is  applicable  to  objects  of  arbitrary  type,  and  it  is  systematic 
because  constraints  on  correct  implementations  are  derived  directly  from  the 
algebraic  structure  of  the  data  type  in  question.  These  constraints  are  both 
necessary  and  sufficient:  any  replicated  implementation  satisfying  these  constraints 
is  correct,  and  no  smaller  set  of  constraints  guarantees  correctness.  Herlihy’s 
method  is  described  below. 

5.1.  Model  of  Computation 

The  replication  method  is  based  on  a  model  of  computation  similar  to  the  one 
assumed  by  Argus.  A  distributed  system  consists  of  a  collection  of  sites  connected 
(only)  by  a  communication  network.  A  site  consists  of  one  or  more  processors,  one 
or  more  levels  of  memory,  and  any  number  of  devices.  We  assume  that  any  site  can 
communicate  with  any  other  when  the  network  is  functioning  properly.  We  make  no 
assumptions  about  the  speed,  connectivity,  or  reliability  of  the  network. 

The  model  admits  two  kinds  of  failures:  site  crashes  and  communication  failures. 
When  a  site  crashes,  its  resident  data  becomes  temporarily  or  permanently 
inaccessible.  We  assume  that  all  communication  failures  take  the  form  of  lost 
messages:  garbled  and  out-of-order  messages  can  be  detected  (with  very  high 
probability)  and  discarded.  Transient  communication  failures  may  be  hidden  by 
lower  level  protocols,  but  longer-lived  failures  can  result  in  situations  where 
functioning  sites  are  unable  to  communicate.  One  such  situation  is  a  network 
partition,  in  which  the  sites  are  divided  into  disjoint  sets  such  that  functioning 
members  of  different  sets  cannot  communicate.  Partitions  are  not  the  only  such 
situations  that  can  arise:  for  example,  one  site  may  be  able  to  send  messages  to 
another,  but  not  vice-versa. 

A  failure  is  detected  when  a  site  that  has  sent  a  message  fails  to  receive  a  response 
after  a  certain  duration.  Although  we  assume  that  site  crashes  and  lost  messages 
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Notice  that  two  deposit  operations  commute:  The  results  they  return  and  the  final 
state  of  the  account  do  not  depend  on  the  order  in  which  the  operations  are 
executed.  However,  two  withdraw  operations  do  not  commute:  If  the  balance  in  the 
account  is  large  enough  to  cover  either  but  not  both  of  the  withdrawals,  then  both 
the  results  returned  by  the  operations  and  the  final  state  of  the  account  depend  on 
the  order  in  which  the  operations  are  executed. 

Now  consider  the  following  execution  h,  in  which  a  first  deposits  $10  in  the 
account  and  commits,  and  then  b  and  c  concurrently  withdraw  $4  and  $3, 
respectively,  and  then  commit: 

<deposit(10),y,a> 

<ok,y,a> 

<commit,y,a> 

<withdraw(4),y,b> 

<withdraw(3),y,c> 

<ok,y,c> 

<ok,y,b> 

<commit,y,c> 

<commit,y,b> 

This  execution  satisfies  the  requirements  for  dynamic  atomicity:  Precodes(h) 
contains  the  pairs  <a.b>  and  <a,c>.  and  h  is  serializable  in  the  orders  a-b-c  and  a  c-b. 
However,  since  withdraw;  operations  do  not  commute,  none  of  the  two-phase  locking 
protocols  based  on  commutativity  can  permit  this  execution,  in  which  b  and  c 
execute  withdraw  operations  concuriontly.  to  occur. 

Dynamic  atomicity  allows  suoh  an  execution  because  the  operations  executed  by  a 
can  be  considered  in  deciding  when  those  invoked  by  b  and  c  can  be  scheduled. 
History- independent  protocols,  like  those  in  [2],  [6],  [9],  must  schedule  b  and  c  the 
same  way  regardless  of  operations  executed  earlier  by  other  activities  like  a.  and  so 
cannot  permit  b  and  c  to  execute  withdraw  operatit  3  concurrently. 

Similar  situations  arise  with  any  data  type  that  cchaves  like  a  finite  pool  of 
resources,  with  operations  to  add  objects  to  and  remove  objects  from  the  pool: 
Dynamic  atomicity  permits  activities  to  remove  objects  from  the  pool  concurrently, 
but  locking  implementations  (indeed,  any  history  independent  protocol)  will  not 
permit  this  level  of  concurrency. 

Locking  protocols  are  clearly  useful  for  many  applications,  and  can  be 
implemented  relatively  easily.  The  examples  above  illustrate,  however,  that  there 
may  be  applications  for  which  locking  protocols  are  inadequate.  Wcihl  presents 
several  implementations  that  achieve  more  concurrency  than  is  possible  with 
locking  Not  surprisingly,  some  of  these  implementations  arc  more  complex  than  the 
corresponding  ones  based  on  locking  It  remains  to  tie  seen  whether  the  increased 
concurrency  is  worth  the  added  complexity  of  the  implementations. 
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(member(2),x,a> 

<insert(3).x,b> 

(ok,x,b> 

<false,x,a> 

(member(3),x,c> 

(commit, x,b> 

<true,x,c> 

(commit, x,a> 

(commit, x,c> 

satisfies  the  requirements  for  dynamic  atomicity.  Preccdes(h)  contains  the  single 
pair  (b,c>,  and  h  is  serializable  in  the  orders  a-b-c,  b-a-c,  and  b-c-a. 

Weihl  shows  that  if  all  objects  in  a  system  are  dynamic  atomic,  then  the  activities  in 
the  system  are  atomic.  The  proof  hinges  on  the  fact  that  objects  never  "disagree" 
about  the  "precedes"  relation:  There  is  always  at  least  one  total  order  that  is 
consistent  with  all  of  the  local  "precedes"  relations.  Thus,  if  each  object  ensures 
serializability  in  all  total  orders  consistent  with  its  local  "precedes”  relation,  then 
objects  will  agree  on  at  least  one  (global)  serialization  order.  This  means  that 
dynamic  atomicity  satisfies  our  goals  for  a  local  atomicity  property.  Weihl  also 
shows  that  dynamic  atomicity  is  optimal :  No  strictly  weaker  (i.e.,  more  permissive) 
property  of  objects  suffices  to  ensure  global  atomicity. 

4.2.  Relationship  to  Locking 

Dynamic  atomicity  is  a  property  of  objects,  not  a  protocol  or  an  implementation 
technique.  It  characterizes  the  behavior  of  objects  implemented  using  two-phase 
locking  protocols  like  those  in  [2],  [6],  [9],  These  protocols  are  each  based  on  some 
notion  of  "commutativity:"  Activities  are  allowed  to  execute  operations  concurrently 
only  it  the  operations  "commute."  Locking  protocols  based  on  commutativity  have 
two  structural  limitations  that  prevent  them  from  achieving  all  of  the  concurrency 
allowed  by  dynamic  atomicity.  First,  they  are  conflict-based:  Synchronization  is 
based  on  a  pair-wise  comparison  of  operations  executed  by  concurrent  activities.  In 
contrast,  dynamic  atomicity  depends  on  the  sequences  of  operations  executed  by 
activities.  Second,  the  protocols  are  history- independent:  Synchronization  is 
independent  of  past  history,  in  particular  the  operations  executed  by  committed 
activities.  In  contrast,  dynamic  atomicity  depends  on  the  entire  execution. 

Consider,  for  example,  a  system  containing  a  bank  account  object  y  with  three 
operations:  deposit,  which  adds  a  specified  amount  to  the  balance  of  the  account; 
withdraw,  which  either  removes  a  specified  amount  from  the  account  if  the  balance 
will  remain  non-negative  (terminating  with  result  "ok”),  or  leaves  the  account 
untouched  if  the  account  has  insufficient  funds  to  cover  the  withdrawal  (terminating 
with  result  "no");  and  balance,  which  returns  the  current  balance  in  the  account. 
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<member(3),x,a> 

<insert{3),x  '.>> 

<ok,x,b> 

<false,x,a> 

<member(3),x,c> 

<commit,x,b> 

<true,x,c> 

<commit,x,a> 

<commit,x,c> 

h  is  serializable  in  the  order  a-b-c,  since  the  specification  of  the  set  object  x  allows 
the  following  execution: 

<member(3),x,a> 

<false,x,a> 

<commit,x,a> 

<insert(3),x,b> 

<ok,x,b> 

<commit,x,b> 

<member(3),x,c> 

<true,x,c> 

<commit,x,c> 

However,  since  precedes(h)  contains  only  the  single  pair  <b,c>,  h  must  also  be 
serializable  in  the  orders  b-a-c  and  b-c-a  to  be  dynamic  atomic.  This  is  not  the  case; 
for  example,  the  serial  execution 

<insert(3),x,b> 

<ok,x,b> 

<commit,x,b> 

<member(3),x,a> 

<false,x,a> 

<commit,x,a> 

<member(3),x,c> 

<true,x,c> 

<commit,x,c> 

is  not  permitted  by  the  specification  of  x. 


As  another  example,  the  execution 
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PROGHAMWING  TECHNOLOGY 


1.  INTRODUCTION 

This  is  the  report  of  the  Programming  Technology  Group.  The  main  effort  of  the 
group  continues  to  be  development  of  a  computer-based  planning  system  to  be  used 
where  voluminous  data  is  available  and  necessary  to  support  planning.  Within  the 
Programming  Technology  Group  this  year,  development  has  focused  on  finishing 
and  refining  the  following: 

•  Movement  of  a  large  system  of  software  development  tools,  centered 
upon  MDL,  from  the  DECSYSTEM-20/TOPS-2Q  environment  in  which  it 
was  initially  constructed,  to  an  open  set  of  environments  including  Vax- 
Unix  and  systems  based  on  the  68000  family  of  chips. 

•  A  planning  aid  based  on  the  essential  ideas  of  VisiCalc,  but  including 
symbolic  computation,  data  management,  and  graphic  display. 

•  A  graphical  programming  and  monitoring  system. 

The  language  MDL,  that  is  the  centerpiece  of  the  system  of  software  development 
tools  being  transported  to  the  Vax  and  68000  environments,  is  both  an  extension  of 
LISP  and  a  production  language  that  supports  programming  in  a  more  conventional 
Fortran-like  style.  The  acronym  "MIM,"  used  in  the  remainder  of  the  report,  stands 
for  Machine  Independent  MDL. 

Currently  the  group’s  work  is  focused  on  implementation  of  the  planning  system  at 
LCS  headquarters  and  at  DARPA,  A  Vax  1 1  /780  was  installed  at  LCS  headquarters 
in  the  late  winter  of  1984  and  LCS  administration  is  expected  to  start  using  the 
planning  system  some  time  this  summer  or  fall  for  a  lull  range  of  financial  and 
personnel  planning  activities.  A  Vax- 11/780  has  also  been  purchased  for  DARPA 
and  a  version  of  the  planning  system  is  expected  to  be  operating  there  in  the  fall  of 
1984. 

2.  MIM  COMPILER  DEVELOPMENT 

At  the  beginning  of  the  reporting  year,  the  three  compilers  that  constitute  the 
current  set  for  MIM  (MIMC,  MIMOC20  and  MIMOCVax)  were  all  woiking  adequately. 
However,  increased  usage  of  the  compilers  by  the  user  community  revealed  some 
shortcomings  in  them.  There  were  three  areas  of  concern: 

1)  The  code  produced  ran  too  slowly. 

2)  The  compilers  themselves  ran  too  slowly. 

3)  The  compilers  ran  in  old  MDL  as  opposed  to  MIM. 
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A  large  portion  of  the  group’s  effort  was  spent  addressing  these  issues  and 
significant  progress  has  been  made.  Both  MIMOC20  and  MIMOCVax,  the  open 
compilers  for  the  DECSYSTEM-20  and  Vax/Unix,  were  improved  in  a  number  of 
ways. 

•  The  register  allocation  algorithm  for  MIMOC20  was  completely 
overhauled  .  Optimizations  were  added  to  prevent  unnecessary  storing 
of  temporaries  in  memory  and  to  keep  values  in  registers  during  tight 
loops.  These  optimizations  already  existed  in  MIMOCVax,  so  it  was  not 
necessary  to  implement  them. 

•  A  "look  ahead"  mechanism  was  added  to  both  of  the  MIMOCs.  This 
mechanism  enables  two  or  three  different  virtual  MIMA  instructions  to  be 
compiled  together  into  less  object  code  instructions.  For  example,  if  a 
series  of  MIMA  instructions  extracts  a  value  from  a  structure,  adds  one 
to  it  and  puts  the  result  back  into  the  structure,  this  can  compile  into  one 
instruction  on  either  the  DECSYSTEM-20  or  the  Vax.  Without  the  look 
ahead  mechanism,  this  kind  of  combining  of  instructions  would  be 
impossible. 

•  In  order  to  decrease  the  overhead  involved  in  making  function  to 
function  calls  within  a  compiled  package  of  functions,  a  faster  internal 
calling  sequence  was  added  to  MIMOC20.  This  also  permits  the 
compiler  to  throw  away  the  entry  information  for  the  internal  compiled 
functions.  This  optimization  may  be  added  to  MIMOCVax  at  some  later 
time. 

« All  three  MIM  compilers  were  found  to  be  unacceptably  slow  for 
reasonable  use.  A  major  reason  for  this  was  the  necessity  of  always 
compiling  an  entire  file  at  one  time  when  in  fact  only  one  or  two 
functions  had  changed  since  the  file  was  previously  compiled.  A  partial 
recompilation  facility  has  been  added  to  all  three  of  the  compilers.  This 
facility  permits  a  user  to  recompile  only  those  functions  that  have 
changed  since  the  last  time  the  program  was  compiled. 

•  Unfortunately  using  the  precompilation  facility  precludes  producing 
glued  code  in  MIMOC20  and  MIMOCVax.  A  program  to  glue  code 
produced  by  MIMOC20  has  been  written  to  address  this  problem.  This 
enables  a  user  to  take  advantage  of  both  the  convenience  of  partial 
recompilation  and  performance  of  glued  function  calls.  Since  the  Vax 
has  variable  length  instructions,  writing  an  after  the  fact  glue  program  is 
much  more  complex.  As  of  now,  we  haven’t  undertaken  it. 
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•  It  is  always  dangerous  to  compile  a  compiler  using  itself  because  the 
possibility  of  introducing  very  obscure  bugs  is  always  present.  These 
obscure  bugs  come  about  because  if  the  compiler  miscompiles  itself, 
the  error  may  not  show  up  until  something  else  is  compiled.  This  is  often 
referred  to  as  the  recursive  compiler  bug.  In  order  to  minimize  the 
likelihood  of  recursive  compiler  bugs,  we  delayed  moving  the  compilers 
from  old  MDL106  into  MIM  for  as  long  as  possible.  We  wanted  to  make 
sure  things  were  very  reliable  before  doing  this.  That  level  of  reliability 
has  been  achieved  and  all  three  compilers  a/e  now  running  in  M  M, 

•  Moving  the  compilers  from  MDL106  to  MIM  did  introduce  some  new 
performance  problems  especially  in  I/O.  MIM's  I/O  is  very  general  and 
flexible  but  is  also  slower  than  MDL106  I/O.  However,  by  writing  special 
output  programs  that  are  specific  to  the  compilers'  needs,  we  were  able 
to  recover  the  performance  that  was  lost. 

•  Additional  benefits  of  moving  the  compilers  into  MIM  include:  the  ability 
to  compile  larger  programs,  the  capability  of  running  the  compilers  on 
the  Vax  as  well  as  the  DECSYSTEM-20  and  obviation  of  conditionals  in 
target  programs  to  get  around  incompatibilities  between  MIM  and 
MDL106. 

The  fact  that  MIMOC20  and  MIMOCVax  do  many  similar  things  in  many  different 
ways  has  led  us  to  rethink  our  approach  to  these  programs.  While  it  was  appropriate 
to  investigate  different  ways  of  writing  open  compilers  early  in  the  project,  it  has 
become  apparent  that  this  approach  involves  a  lot  of  duplicated  effort.  We  have  just 
begun  work  on  a  tabic-driven,  open  compiler  that  will  be  easily  adaptable  to  new 
machines.  We  believe  this  approach  will  result  in  a  more  maintainable  system. 

3.  MIM  DEVELOPMENT 

Although  machine-independent  MOL  (MIM)  had,  by  the  end  of  the  last  reporting 
period,  reached  a  point  where  it  could  be  used  in  place  of  old  MDL  for  most 
purposes,  it  was  still  missing  some  features  that  MDL  had,  and  its  performance  left 
something  to  be  desired.  During  this  year,  many  of  its  deficiencies  were  remedied. 
Where  possible,  new  features  appeared  in  both  the  TOPS- 20  and  the  Vax/Unix 
versions  of  MIM:  in  view  of  the  group's  continued  movement  away  from  TOPS-20, 
unique  features  appeared  only  in  the  Unix  version. 

•  The  PURIFY  facility  of  MDL  allowed  user  programs  and  data  structures 
to  be  made  read  only,  resulting  in  two  advantages:  the  read-only 
structures  wore  not  examined  by  the  garbage  collector,  thus  speeding 
things  up:  and  the  memory  occupied  by  read-only  structures  could  be 
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shared  among  several  processes,  thus  reducing  the  substantial  paging 
load  that  MDL  put  on  the  system.  We  added  this  feature  to  both  MIMs 
this  year.  Unix  doesn't  yet  allow  shared  memory  in  this  form,  but  the 
Unix  implementation  of  PURIFY  does  act  to  increase  the  virtual  memory 
available  to  a  MIM  process. 

•  GC  READ  and  GC-DUMP  allow  high-speed  I/O  of  MDL  data  structures, 
while  preserving  sharing  within  the  structures.  This  is  another  feature 
that  existed  in  old  MDL.  but  only  appeared  in  MIM  this  year. 

•  Users  can  now  build  arbitrary  MDL  objects  on  the  stack;  thus,  temporary 
data  structures  can  be  used  freely  without  invoking  the  garbage 
collector,  and  without  writing  complicated  recycling  schemes.  Old  MDL 
had  a  much  more  restricted  form  of  this;  the  implementation  of  this 
feature  was  made  much  easier  because  very  little  of  it  had  to  be  done  in 
assembly  language. 

•  On  Unix,  we  developed  an  interface  to  pipes,  which  allow  easy 
communication  between  processes.  This,  in  combination  with  a 
package  for  running  inferior  forks,  allowed  an  undergraduate  to  develop 
an  interface  to  the  INGRES  DBMS  for  use  by  the  planning  system. 

•  Since  most  of  our  Vax-11/750s  have  small  disks,  MIM,  MIMC,  and  the 
Vax  open  compiler  were  moved  to  a  file  server.  In  addition  to  saving 
space,  this  makes  it  possible  to  perform  updates  on  all  machines  in  one 
operation. 

Further  performance  enhancements  were  made  to  MIM. 

•  The  full  copy  garbage  collector  was  modified,  in  conjunction  with  the 
two  open  compilers,  such  that  it  is  essentially  hand-coded  in  critical 
areas.  Since  the  "hand-coding”  was  done  by  the  compilers,  we  were 
able  to  cause  the  same  code  to  be  generated  for  PURIFY,  thus  gaining 
the  same  speed  advantage  there  at  no  cost. 

•  READ  and  PRINT  were  made  much  faster  by  careful  rewriting  of  some 
critical  sections,  and  by  reduction  of  subroutine  calling  overhead  where 
possible. 

•  The  EVAL/APPLY  section  of  the  interpreter  also  became  much  faster 
after  some  recoding. 

Finally,  MIM  was  made  better  able  to  survive  in  the  real  world.  The  Unix  version 
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was  moved  from  Berkeley  Unix  4.1  to  4.2,  which  involved  some  major  changes  in 
system-dependent  code.  In  conjunction  with  this,  MIM  was  finally  taught  about  the 
structure  of  virtual  memory  under  Berkeley  Unix.  It  now  uses  as  little  as  it  can;  but  it 
can  get  the  maximum  amount  available  when  needed.  This  is  particularly  important 
on  the  Vax-11/750s  with  small  disks  that  many  of  our  users  do  aevelopment  on. 
Reliability  continued  to  improve  in  all  areas,  as  the  continued  improvement  in  speed 
and  features  led  to  more  extensive  use  of  the  system. 

4.  PLANNING  SYSTEM 

Work  on  the  planning  system  PLAID  has  continued  during  the  last  year.  Progress 
has  been  divided  between  improvements  and  enhancements  of  existing  features  on 
the  one  hand,  and  expansion  of  the  system  into  the  area  of  worksheet  sharing  and 
communication  on  the  other. 

Refinements  and  additions  to  many  existing  features  of  PLAID  have  been  made, 
motivated  by  comments  from  local  users  of  the  system  and  observation  of  its 
behavior. 

Major  expansion  of  the  system  has  been  performed  to  enable  sharing  of 
worksheets  among  the  members  of  a  group  of  cooperating  users.  The  user  of  the 
system  is  given  detailed  control  over  his  own  usage  of  other  users’  worksheets,  and 
also  of  other  users’  usage  of  his  own  worksheets.  The  usage  controls  have  enough 
flexibility  that  either  very  free  or  very  controlled  worksheet  sharing  is  possible. 


4.1.  Incremental  Improvements 

In  the  area  of  incremental  improvements,  we  will  touch  briefly  on  some  of  the 
changes  made  over  the  last  year. 

Major  internal  changes  have  been  made  to  the  user  interface  and  command 
interpreter.  It  is  expected  that  the  current  command  interpreter  is  the  final  redesign. 
The  new  interpreter  makes  the  definition  of  new  commands  and  new  objects  easier, 
and  also  makes  the  Help  and  Options  facilities  available  system-wide.  In  the  new 
system,  items  are  deposited  in  a  list  of  relevant  help  or  options  information  which  is 
ultimately  processed  and  displayed  by  the  command  interpreter.  Consequently,  only 
the  command  interpreter  needs  to  know  the  details  of  how  such  information  is  finally 
displayed.  One  pleasant  side-effect  of  the  new  regime  was  that  Help  and  Option 
window  placement  expertise  could  be  localized,  and  so  in  current  releases,  such 
windows  rarely  obscure  useful  information. 

The  Graph  facility  has  been  expanded  to  allow  incremental  addition  and  updating 
of  such  items  as  titles,  labels  on  graph  axes,  and  so  on.  The  data  being  graphed  may 
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be  updated  incrementally  as  well.  For  example,  the  number  of  bars  in  a  bar  graph 
may  be  changed  without  respecifying  the  entire  graph.  Finally,  a  Stacked-bar-graph 
style  was  added  to  the  existing  graph  styles  of  XY,  Polar,  Bar,  and  Pie-chart. 

Many  status  commands  and  the  data  to  support  them  were  added.  Some  of  these 
additions,  such  as  a  "Show  worksheets"  command,  were  motivated  by  the 
implementation  of  the  worksheet  sharing  facility. 

PLAID  is  now  able  to  understand  the  concept  of  time.  Dates  and  times  are  now 
legitimate  data  and  may  be  manipulated  by  equations.  The  user  may  now  have  time 
dependent  information  in  worksheets.  It  is  possible  to  set  the  current-time  (from  the 
point  of  view  of  a  worksheet)  as  well,  and  thus  explore  the  time-dependencies  of  a 
model. 

As  the  system  expanded,  it  became  apparent  that  setting  and  resetting  various 
options  each  time  it  was  started  was  too  tedious,  and  so  a  "tailor  file"  facility  was 
added.  The  tailor  file  stores  the  variable  settings  for  all  the  system  wide  variables. 

4.2.  Worksheets  as  Procedures 

PLAID  has  the  ability  to  treat  a  worksheet  as  a  procedure.  The  motivation  is  that 
once  a  model  has  been  constructed,  it  is  both  tedious  and  inefficient  to  copy  the 
entire  model  into  every  worksheet  that  wishes  to  employ  it.  A  revenue  forecasting 
model  might  be  driven  by  four  or  five  independent  variables.  It  is  in  effect  a 
procedure  which  takes  these  variables  as  arguments  and  produces  output  values.  In 
a  sensitivity  analysis,  one  might  want  to  try  several  different  values  for  each  variable. 
In  normal  circumstances,  one  laboriously  changes  the  variables,  then  copies  the 
results  into  ones  worksheet.  Some  spreadsheet  programs  allow  this  to  be 'done  in  an 
automated  way. 

In  PLAID,  the  worksheet  is  called  as  a  procedure.  It  takes  as  arguments  a  list  of 
pairs:  cells  in  the  worksheet  and  the  values  you  want  in  them.  The  old  values  are 
pushed,  the  worksheet  is  reevaluated,  values  are  pulled  out,  and  the  old  values  are 
restored.  '  he  syntax  looks  like  a  "call  by  name".  For  example: 

0MORTGAGE( PRICE : 100000 . INTEREST : 13 . 5 , TERM: 30 , PAYMENT) 

would  evaluate  the  mortgage  worksheet  with  the  named  slots'  values  replaced,  and 
return  the  contents  of  the  PAYMENT  slot. 
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4.3.  INGRES  Interface 

During  the  past  year  an  experimental  database  interface  module  was  written  (by 
Baek).  This  module  allows  records  to  be  read  or  written  from  the  INGRES  database 
system  into  a  worksheet.  For  example,  a  record  would  be  read  into  rows  of  a 
worksheet,  and  the  subrecord  names  retrieved  as  the  column  headers.  Further  work 
is  expected  to  be  done  in  this  area.  For  example,  it  would  be  useful  to  be  able  to 
define  a  worksheet  as  containing  the  records  which  meet  some  selection  criteria, 
and  have  its  contents  automatically  updated  if  any  of  the  criteria  change. 

4.4.  Constraints  and  Undo 

One  way  of  seeing  a  worksheet  is  as  a  system  of  equations  which  is  resolved  each 
time  it  is  changed.  Given  this  model,  it  would  useful  to  be  able  to  place  constraints 
on  the  values  of  these  equations,  and  to  undo  changes  that  cause  the  constraints  to 
be  violated. 

PLAID  allows  the  user  to  associate  a  constraint  with  any  cell  of  the  worksheet. 
This  constraint  is  in  the  form  of  a  predicate  which  is  reevaluated  whenever  the  value 
of  the  cell  changes.  For  example,  the  cell  A21  might  contain  the  equation 

>A21  EXPEN0ITURES=8SUM(A1. . .A20) 

which  makes  it,  perhaps,  the  total  of  expenditures  in  a  budget.  In  addition  the  cell 
can  contain  a  "Check"  equation: 

Check  EXPENDITURES  =<  20000 

which  states  that  if  the  sum  is  greater  than  $20,000,  it  violates  a  constraint.  Better 
still  might  be 

Check  EXPENDITURES  =<  REVENUES 

where  REVENUES  is  another  cell  containing  total  revenues. 

It  was  in  conjunction  with  constraint  checking  that  the  Undo  facility  was  introduced 
to  PLAID.  Whenever  a  cell  is  changed,  the  old  value  is  saved  on  an  undo  list.  The 
Undo  command  restores  the  old  cell  contents  to  the  state  at  the  beginning  of  the 
previous  command.  In  the  above  example,  use  of  Undo  would  remove  the  entry  that 
caused  the  sum  to  overflow  the  constraint. 

It  is  desirable  avoid  the  sort  of  problem  that  can  arise  when  the  user  is  shuffling 
many  values  around  in  a  summed  list  whose  total  is  constrained.  For  example,  when 
the  user  is  juggling  the  sizes  of  various  line  items  in  a  budget,  the  sum  would  almost 
inevitably  violate  the  constraints  now  and  then.  In  PLAID,  this  problem  can  be 
avoided  by  manually  turning  off  continuous  evaluation  and  continuous  constraint 
checking,  and  then  either  turning  them  on  again  or  explicitly  evaluating  using  the 
"Evaluate"  key,  which  performs  evaluation  and  checking. 
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The  Undo  facility  is  as  yet  unable  to  perform  "general"  Undos,  because  not  all 
changes  to  worksheets  or  the  PLAID  environment  are  performed  by  changing  cells 
in  the  worksheet.  The  mechanism  will  support  a  more  general  implementation,  but  it 
has  not  yet  been  installed. 

4.5.  Communication 

PLAID  allows  users  to  get  information  from  other  users’  worksheets,  subject  to  the 
restrictions  imposed  by  the  protection  scheme  described  in  the  next  section.  The 
goal  of  the  communication  scheme  was  to  enable  you  to  use  someone  else’s 
worksheet  without  being  unduly  surprised  and  discomfited  when  he  makes  major 
changes  to  it.  By  the  same  token,  it  should  not  get  in  your  way  if  you  are  using  one 
of  your  own  worksheets  or  don’t  care  about  changes  because  you  expect  them 
(when  you  are  using  a  rapidly  changing  database,  for  example). 

There  are  two  "communications"  commands,  Use  and  Update.  The  former 
establishes  a  link  between  the  current  worksheet  and  some  other,  and  the  latter 
updates  changed  values  taken  from  the  other  worksheet. 

The  full  specification  of  Use  is: 

Use  worksheet  version  when-to-update 

where  the  latter  two  arguments  have  defaults. 

Possible  versions  are  newest  and  release  (meaning  newest  "official"  release). 
Newest  version  means  to  look  for  the  file  with  the  same  first  name  as  the  worksheet 
argument  and  extension  ’’.WS".  Release  means  to  look  instead  for  an  extension  of 
".WSR".  Directories  in  the  worksheet  search  path  are  examined  in  order.  The 
search  path  may  be  specified  explicitly  by  the  user  ("Set  search-path")  or  implicitly; 
it  is  normally  the  set  of  all  directories  from  which  worksheets  have  been  loaded. 

When-to-update  specifies  the  circumstances  under  which  the  worksheet  is 
examined  for  changed  cells.  Possible  arguments  are  always ,  when-told  and  never. 
Always  means  that  whenever  the  using  worksheet  is  loaded,  the  used  worksheet  is 
also  loaded.  This  setting  provides  no  insurance  against  changes  in  the  used 
worksheet.  On  the  other  hand,  there  is  no  overhead  in  storing  old  values  from  the 
used  worksheet.  Never  means  that  the  values  in  the  used  worksheet  are  copied  and 
never  updated.  In  effect,  you  get  a  never-changing  snapshot  of  the  used  worksheet. 
vyhen-told  is  a  middle  ground.  A  snapshot  of  the  used  worksheet  is  kept  in  the  using 
worksheet,  but  it  is  updated  when  the  user  specifically  asks.  Thus,  at  some  cost  in 
overhead,  you  can  be  insulated  against  surprises. 

Issuing  a  new  Use  command  changes  tho  mode  of  usage  for  the  worksheet  being 
used,  so  (for  example)  never  mode  is  not  irrevocable. 
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The  second  part  of  the  sharing  facility  is  the  Update  command,  which  gives  the 
user  control  over  updating  of  values  in  worksheets  he  is  using. 

Update  worksheet  method 

The  method  argument  tells  how  the  copy  of  worksheet  used  by  the  current 
worksheet  should  be  updated.  There  are  three  methods  available.  "Full"  means 
that  all  changed  values  from  the  worksheet  are  accepted  without  question  or 
interaction.  "Cut"  means  that  all  new  values  are  rejected  and  the  copy  of  the 
worksheet  is  in  effect  frozen.  This  is  said  to  cut  the  connection  between  the  two 
worksheets.  Finally,  "Ask”  means  that  each  change  will  be  displayed  to  the  user, 
and  he  will  be  given  the  opportunity  to  pass  on  each  change  individually.  For  each 
reference,  the  user  has  the  option  of  accepting  the  change  or  cutting  the  link. 

One  result  of  this  scheme  is  that  a  worksheet  may  only  directly  reference  one 
version  of  another  worksheet  at  a  time.  It  may  contain  cut  references  from  earlier 
versions,  but  active  references  to  only  one  version. 

4.6.  Protection 

PLAID  provides  three  levels  of  protection,  which  may  be  applied  to  individual  users 
or  groups  of  users,  and  may  refer  to  worksheets,  regions  or  even  individual  cells. 

A  PLAID  entity  (worksheet,  region,  or  cell)  is  by  default  inaccessible  to  users  other 
than  its  owner.  Read  access  to  the  values,  read  access  to  the  model  (the  system  of 
equations)  and  write  access  may  be  permitted  by  the  owner.  When  a  worksheet  is 
used,  the  accessibility  of  the  cells  is  set  by  looking  up  the  access  for  the  user  from  an 
access-control  list  contained  in  the  worksheet.  In  effect,  the  worksheet  is  sanitized. 
Cells  that  the  user  cannot  see  look  like  they  are  empty.  Attempting  to  write  in  a  write- 
protected  cell  causes  an  error. 

PLAID  allows  access  to  be  controlled  on  the  worksheet  level  if  desired.  It  is  also 
possible  to  permit  or  refuse  access  to  regions  or  cells  as  well.  Access  may  be 
permitted  in  smaller  areas  within  large  refused  areas.  For  example,  the  owner  may 
say: 

Permit  (user)  TAA  (access)  read  (region)  A1.B18 
Refuse  (user)  TAA  (region)  B12 

The  above  grants  ti.e  user  TAA  read  access  to  all  but  one  cell  of  a  rc  angular 
region. 

In  general,  worksheets  are  files  in  an  operating  system  (TOPS-20  or  Unix),  and  as 
such  must  be  readable  to  be  Used.  In  the  initial  implementation  of  protection,  no 
attempt  has  been  made  to  resolve  the  contradictions  inherent  in  "protecting" 
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something  that  can  itself  be  read  and  potentially  edited  "out-of-band"  of  the  PLAID 
environment.  In  the  final  implementation,  worksheets  may  be  accessed  through 
some  other  mechanism  that  allows  them  to  be  read -protected  on  a  file  by  file  basis. 
Some  analogue  of  an  access-control  job  or  "message  vault"  will  be  used. 

4.7.  PLAID  and  MDL 

PLAID  was  converted  during  1982-1983  to  run  on  Unix  in  machine-independent 
MDL.  During  the  last  year,  MDL  under  Unix  became  sufficiently  well  developed  and 
complete  to  enable  PLAID  to  move  to  a  Vax -11/780  running  Unix  (Berkeley  4.2)  as 
its  primary  development  machine.  Until  then,  modules  were  debugged  and  compiled 
on  Tops-20  and  then  cross-compiled  for  Vax  Unix  and  the  object  files  moved  to  Unix. 
Now  the  situation  is  reversed. 


5.  GRAPHICAL  PROGRAMMING  AND  MONITORING  OF 
PROGRAM  BEHAVIOR 

The  purposes  of  this  project  are  (1)  to  discover  some  good  ways  to  use  graphics  to 
facilitate  the  preparation  and  understanding  of  computer  programs  and  (2)  to 
develop  a  system  for  graphical  programming  and  graphical  monitoring  of  the 
interpretation  of  programs.  The  project  is  being  carried  out  by  a  professor  and  a 
group  of  undergraduate  students.  They  have  been  at  work  on  it  for  about  20  months, 
and  they  have  some  impressions  and  the  beginnings  of  a  system.  In  order  to 
summarize,  it  will  be  best  to  begin  with  the  system,  which  represents  just  one  of 
several  approaches  that  the  group  has  explored.  The  system  is  written  in  MDL,  a 
language  similar  to  LISP.  LISPers  can  read  MDL  if  they  consider  angle  brackets  to 
be  parentheses  and  remember  that  you  have  to  put  a  period  in  front  of  a  symbol  to 
represent  the  local  value  of  the  symbol  --  and  a  very  few  other  such  things. 

Thus  far,  the  system  deals  only  with  small  program  components.  The  work  is  just 
at  1  point  of  combining  small  components  to  form  larger  ones  and  combining 
larger  ones  to  form  programs.  Let  us  take  as  an  example  the  preparation  of  a 
program  component  that  determines  whether  or  not  the  greatest  of  three  numbers 
(the  MAX  of  them)  is  or  is  not  greater  than  the  literal  integer  100.  In  MDL,  what  the 
programmer  wants  to  come  out  with  is  the  function  that  is  created  by  evaluating 

<DEFINE  NAME  (X  Y  Z)  <G?  <MAX  .X  .Y  .Z>  100» 

We  have  not  been  able  to  find  a  graphical  approach  that  works  faster  or  uses  less 
space  than  simply  writing  that  definition.  Here  is  what  we,  as  a  graphical 
programmer,  do  to  achieve  essentially  that  result: 

We  begin  with  a  running  system,  which  includes  a  display  screen  and  mouse.  On 
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the  display  is  a  large  square  with  a  tew  pictograms  in  it.  The  square  represents  a 
general  (i.e.,  as  yet  unspecified)  MDL  object.  Our  task  is  to  develop  or  differentiate 
it,  to  specify  it.  Also  on  the  display  screen  are  three  menus.  One  presents  about 
eight  alternative  things  to  do.  Another  presents  an  array  of  about  70  basic  MDL 
operators.  And  the  third  presents  an  array  of  about  30  MDL  data  types  and  classes. 
In  this  example,  we  shall  deal  with  only  a  few  of  those  menu  items. 

In  the  square  are  a  few  pictograms  that  constitute  a  menu.  The  most  frequently 
used  menu  item,  which  we  select  with  our  mouse  at  the  outset,  directs  the 
differentiation  of  the  general  MDL  object  into  an  applier,  i.e.,  a  form  that  applies  an 
operator  to  operands.  (For  the  sake  of  uniformity,  "applies"  is  interpreted  in  a  very 
general  sense,  and  an  applier  can  deal  with  special  constructs  (such  as  COND)  as 
well  as  things  that  are  unambiguously  operators.)  When  we  select  the  applier 
pictogram,  the  square  gets  a  vertical  line  down  its  middle,  to  separate  the  right-hand 
operator  half  from  the  left-hand  operand  half,  and  we  are  asked  to  specify  the 
operator.  We  select  G?  from  the  operator  menu  with  our  mouse.  A  box  containing 
G?  appears  on  the  left-hand  side  and  two  boxes  for  operands  appear  on  the  right- 
hand  side.  In  the  latter  two  boxes  are  menu  pictograms  with  which  we  can  select 
whether  to  continue  the  differentiation  with  appliers  or  to  terminate  it  by  specifying 
data  objects. 

We  want  the  top  box  on  the  right-hand  side  to  represent  the  maximum  of  the  three 
variables,  so  we  select  its  applier  pictogram.  The  system  asks  us  to  specify  the 
operator,  and  we  select  MAX  from  the  operator  menu.  Since  MAX  can  take  any 
number  of  operands,  the  system  asks  us  how  many.  We  say  "3".  Thereupon,  a  MAX 
operator  box  and  three  operand  boxes  fit  themselves  into  the  top  right-hand 
rectangle.  At  this  point,  we  can  work  on  one  of  the  three  MAX  operand  boxes,  or  we 
can  deal  with  G?'s  need  for  a  second  operand.  Let  us  go  to  the  top  MAX  operand 
box. 

From  the  top  MAX  operand  box,  we  select  the  datum  pictogram.  The  system  wants 
to  know  whether  we  want  to  specify  a  datum  value  literally  or  to  specify  a  variable  or 
constant  of  the  kind  that  would,  in  symbolic  programming,  be  specified  by  name.  (In 
graphical  programming,  the  latter  kind  has  a  place,  but  not  a  name.)  We  indicate,  by 
clicking  a  mouse  button,  the  latter  kind.  Then  we  point  to  where  we  want  it  to  reside. 
And  then  we  point  to  a  type  or  class  in  the  data  type  and  class  menu.  Let  us  select 
the  integer  pictogram.  The  system  says  that  the  standard  illustrative  value  for  an 
integer  is  10000  and  gives  us  a  chance  to  supply  an  alternative  value.  (This  value  is 
not  going  to  be  part  of  the  program,  but  it  will  go  into  a  data  base  of  data  values  for 
testing  purposes.)  We  accept  the  standard  value,  and  the  system  draws  an  integer 
pictogram  in  the  place  we  selected. 

Following  the  same  procedure,  we  deal  with  the  other  two  MAX  operand  boxes. 
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Then  we  turn  to  the  second  operand  box  of  G?.  This  time  we  tell  the  system  we  want 
to  specify  a  datum  value  literally.  We  type  "100",  and  it  replaces  the  number 
pictogram  in  the  operand  box.  That  completes  the  specification,  which,  despite  the 
length  of  this  description  required  only  a  few  mouse  selections  and  the  typing  of  four 
numbers. 

To  see  the  function  we  have  prepared,  we  select  the  function  icon  in  the  things-to- 
do  menu,  and  the  system  displays  the  definition  form  for  the  new  function,  using  the 
function  name  TEST: 

<DEFINE  TEST( 1 . 1  1.2  i.3)<G?<MAX  .i.l  .1.2  .i.3>100» 

and  gives  us  an  opportunity  to  substitute  a  name  of  our  choosing.  The  system 
cannot  yet.  but  soon  will  be  able  to,  place  a  miniaturized  copy  of  the  graphical 
pattern  we  created  into  yet  another  menu  area  so  that  we  can  use  it  as  a  component 
in  building  la  ger  units  of  program. 

We  can  test  the  newly  created  function  with  the  illustrative  data  we  supplied.  We 
accepted  the  standard  value  of  10000  for  the  first  argument  to  MAX.  Suppose  that 
we  specified  20000  and  30000  for  the  other  two  arguments.  Then,  if  we  select  the 
EVAL  icon  from  the  things-to  do  menu,  the  system  would  tell  us  that,  with  the 
specified  data  values,  the  result  is  T.  which  moans  TRUE. 

There  is  a  bit  more  to  the  system  than  just  illustrated,  but  that  may  provide  an  idea 
of  what  is  aimed  at. 

At  present,  we  are  beginning  to  work  on  (1)  getting  the  system  to  deal  with 
assemblies  of  components  and  (2)  the  incorporation  of  monitoring  features  [1].  The 
latter  will  let  the  programmer  try  out  what  he  has  done  thus  far  and  watch  its 
graphical  representation  behave  --  i.e..  watch  the  unfolding  of  the  interpretation 
process  as  the  function  resulting  from  the  defii  tion  is  applied  to  specified 
arguments. 

Finally,  a  few  brief  statements  about  problems  encountered  and  about  the  place  of 
graphics  in  programming: 

1)  The  most  distressing  problem  is  caused  by  the  disproportion  between 
the  great  complexity  of  a  serious  program  and  the  small  size  of  the 
display  screen.  With  a  v.  1  sized  display  and  a  zooming  facility,  we  think 
it  would  be  possible  to  make  a  graphical  programming  and  monitoring 
system  that  would  be  helpful  to  programmers  working  on  large 
programs.  With  anything  like  1024  x  768  pixels,  it  is  necessary  to  have  a 
lot  of  information  off  screen  where  it  is  not  really  very  graphic. 

2)  We  have  had  trouble  making  the  sys'em  run  fast  enough  to  be 
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supportive  instead  of  frustrating.  What  makes  it  slow,  mainly,  is 
calculation  and  not  graphic  display.  Even  though  the  images  are  thus 
far  mainly  just  boxes  inside  boxes,  it  may  be  necessary  to  substitute 
storage  of  prepared  images  for  calculation  and  recalculation  of  images 
on  the  fly. 

3)  There  are  several  hundred  basic  programming  constructs  in  a  typical 
programming  language,  and  nobody  wants  to  learn  several  hundred  new 
icons  or  pictograms  before  trying  out  a  new  approach  to  programming 
that  may  or  may  not  help  much.  We  have  fallen  back  upon  mnemonic 
abbreviations  of  names  for  the  basic  MDL  operators.  The  number  of 
data  types  is  smaller,  and  it  seems  right  to  use  icons  to  represent  data 
types.  The  composition  of  pictographic  representations  of  classes  of 
data  types  from  pictographic  representations  of  individual  data  types 
seems  like  a  good  research  problem  [2]. 

4)  There  will  be  several  thousand  functions  in  a  good  program  library,  and 
it  does  not  seem  probable  that,  in  a  western  language  context  in  which 
people  do  not  already  know  a  lot  of  pictograms,  a  way  will  be  found  to 
represent  library  functions  by  icons. 

5)  It  is  natural,  in  developing  a  graphical  programming  system,  to  let  the 
system  watch  over  what  the  programmer  does  and  refuse  to  let  him 
make  syntactic  (and  perhaps  certain  semantic)  mistakes.  This  can  be 
done  also  in  symbolic  programming  contexts,  as  in  the  Programmer’s 
Apprentice  and  in  syntax  checking  program-text  editors,  but  it  seems 
especially  appropriate  in  a  graphical  system  in  which  much  of  what  is 
done  is  selection  from  among  system -proffered  alternatives. 

6)  Graphical  representations  of  programs  tend  to  portray  the  structure  of 
programs  better  than  do  symbolic  representations,  even  if  the  latter 
exploit  indentation  to  achieve  a  quasi-graphical  effect.  A  goal  is  to  have 
a  graphical  display  that,  pinned  up  on  a  wall,  will  represent  a  large 
program  effectively  -  that  when  viewed  from  a  distance  will  reveal  the 
high-level  structure  and  when  viewed  from  close-up  will  explain  the 
details. 

7)  Even  if  it  proves  too  difficult  to  deal  with  the  internal  workings  of  large 
programs  graphically,  graphics  may  still  be  very  useful  in  marshaling 
programs  and  applying  them  to  data.  Each  function  can  show  pictorially 
what  data  it  needs  to  work  on,  and  each  data  set  can  show  pictorially 
what  kinds  of  operators  can  operate  successfully  upon  it.  High-level 
control  of  information  processing  is  mainly  a  matter  of  connecting 
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together  selected  operators  and  operands.  Graphics  promises  to  make  it 
just  a  matter  of  pointing  to  pairs  of  things  to  connect,  and  finding  that 
the  members  of  a  pair  fit  together  neatly  if  appropriate  for  each  other 
and  refuse  to  join  if  inappropriate. 
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1.  INTRODUCTION 

During  the  1983-4  calendar  year  there  has  been  continuing  progress  on  three 
major  project  areas,  as  well  as  several  seed  efforts  which  may  lead  to  project-level 
research  commitments  in  the  coming  year.  The  continuing  work  is  in  the  areas  of  (i) 
Personal  Workstations,  (ii)  Multiprocessor  architectures,  and  (iii)  VLSI  development 
tools;  subsequent  sections  of  this  report  are  devoted  to  each  of  these. 

2.  PERSONAL  WORKSTATIONS 

The  NU  personal  computer  and  its  companion  network-oriented  operating  system, 
TRIX,  have  been  active  RTS  projects  for  the  past  six  years.  Despite  technical 
progress,  the  history  of  technology  transfer  aspects  of  the  project  has  been 
generally  discouraging  during  most  of  this  period.  We  happily  report  a  marked 
improvement  during  the  past  year. 

2.1 .  NU  Deployment 

During  the  83-84  academic  year.  Texas  Instruments  began  production  of  a  first- 
generation  Nu  machine  based  on  technology  developed  at  RTS  and  delivered,  in 
accordance  with  the  TI/MIT  agreement,  thirty  production  machines  to  our 
Laboratory.  Each  of  these  machines  constitutes  a  competent  and  reasonably  well- 
equipped  personal  computer  comprising  Motorola  68010  processor,  2Mb  RAM, 
84Mb  disk,  Ethernet,  8088  peripheral  and  diagnostic  processor,  arrl  ,  'M-line 
bitmapped  graphics;  as  delivered,  it  runs  a  Tl  supported  variant  of  the  RTS  68000 
UNIX  port. 

These  thirty  machines  are  being  deployed  within  RTS  to  serve  as  a  staple 
computing  resource  in  support  of  our  various  research  needs.  To  this  end,  we  have 
recently  ported  many  software  packages  on  which  RTS  depends  heavily  to  the  Tl 
Nu’s;  these  include  CAD  tools,  document  production  software.  MultiLisp,  TRIX  (see 
below),  and  a  number  of  graphics  and  other  utilities.  In  addition,  the  Tl  Nus  provide 
the  base  hardware  environment  for  several  experimental  processors  under 
development,  including  a  waveform  synthesizer  (Miller,  Robinow)  and  a  novel 
dataflow  processor  (Antaki). 

At  this  writing,  about  a  dozen  of  the  Nus  have  been  installed  and  are  being  used 
routinely  as  tools  for  other  research;  we  expect  to  have  completed  the  remaining 
installations  by  September. 
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2.2.  NuBus  Developments 

The  architectural  backbone  of  the  Nu  is  the  NuBus,  a  flexible  32-bit  backplane  bus 
designed  to  provide  relatively  technology- independent  coherence  across  a  wide 
range  of  system  configurations  and  price/performance  criteria.  The  original  NuBus 
development  was  stimulated,  to  a  great  extent,  by  the  conspicuous  absence  of  an 
appropriate  32-bit  bus  standard  within  the  computer  industry,  and  a  continuing  goal 
of  the  Nu  project  has  been  the  promotion  of  such  a  standard.  From  the  earliest  days 
of  the  Nu  project,  we  have  interacted  with  the  IEEE  P896  standards  committee  where 
NuBus  idea?  have  been  clearly  influential  if  not  adopted  per  se.  While  the  IEEE 
committee  has  been  a  forum  for  valuable  technical  debate,  it  has  also  been  plagued 
by  strong  proprietary  interests  which  have  made  progress  toward  concrete 
standards  painfully  slow. 

We  have  been  delighted  that  Texas  Instruments,  our  current  industrial  partners, 
shares  our  interest  in  promoting  the  NuBus  as  a  standard  and  has  devoted 
considerable  manpower  and  other  resources  to  that  end.  They  have  interested 
several  additional  manufacturers  in  the  production  of  NuBus-based  equipment,  and 
a  recent  modification  of  the  MIT-TI  agreement  allows  NuBus  sublicenses  at  very 
nominal  royalties  (shared  between  Tl  and  MIT).  Moreover,  their  active  and  persistent 
participation  in  the  IEEE  standardization  effort  (jointly  with  our  own)  has 
substantially  furthered  the  influence  of  NuBus  ideas  and  may  result  in  the 
establishment  of  the  NuBus  itself  as  an  IEEE  standard.  Guarded  optimism  on  the 
latter  front  stems  from  a  non -binding  vote  taken  at  a  May  committee  meeting  (held  at 
LCS)  to  recommend  the  adoption  of  the  NuBus  as  a  standard;  this  action  remains  to 
be  ratified  by  a  mail  vote  of  the  entire  committee  membership. 

2.3.  TRIX  Development 

The  progress  report  for  last  year  briefly  describes  the  architecture  of  TRIX  1.0,  an 
operating  system  whose  uniform  communication  semantics  induce  unique  power 
and  coherence  on  a  network  of  interconnected  personal  computers.  In  last  year’s 
report  we  mentioned  that  two  early  prototype  implementations  had  been  constructed 
(single-  and  multi  processor  versions),  and  that  we  were  considering  alternative 
targets  for  a  more  "serious"  implementation  which  would  realistically  provide  for  the 
needs  of  a  non  trivial  user  community.  The  goal  for  this  latter  implementation  is  the 
evaluation  of  TRIX  in  the  environment  for  which  it  is  intended,  via  the  use  of  TRIX 
communications  to  serve  higher-level  user  and  application  needs. 

During  the  past  year  we  selected  the  Tl  Nus  as  the  target  for  the  new  TRIX 
implementation,  primarily  because  of  their  availability  within  RTS,  and  have  brought 
the  new  TRIX  implementation  to  an  operational  status  (Sieber,  Goddeau).  The 
current  implementation  runs  the  major  UNIX  packages  and  supports  software 
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development  (including  the  maintenance  of  TRIX  itself).  In  addition  to  UNIX 
compatibility  softwato,  it  provides  transparent  TRIX-oriented  network 
communications  and  a  primitive  window  system.  While  it  clearly  requires  further 
development,  it  currently  offers  an  adequate  environment  for  the  development  of 
software  by  a  community  of  benign  users,  and  RTS  software  activities  are  gradually 
moving  from  UNIX  to  TRIX.  We  hope  to  continue  to  support  TRIX  development  and 
encourage  this  migration  of  the  user  community,  allowing  us  to  accumulate 
substantive  experience  with  realistic  TRIX  use  during  the  next  year. 

3.  MULTIPROCESSOR  ARCHITECTURES 

The  multiprocessor  architecture  work  has  seen  continued  progress  on  many 
fronts.  We  are  finally  leaving  a  long  gestation  period  devoted  mainly  to  tool-building 
and  stand  ready  to  spend  much  more  time  on  the  basic  research.  Our  work  has 
been  in  roughly  three  areas:  hardware  construction,  software  construction,  and 
performance  analysis  and  modeling.  Additionally,  we  have  continued  our  research 
collaboration  with  Harris  Corp.,  which  is  beginning  to  bear  fruit. 

3.1.  Hardware  Construction 

A  major  accomplishment  during  this  period  has  been  the  completion  of  debugging 
of  the  RingBus  Interface  Board,  or  RIB,  a  central  component  of  the  Concert 
multiprocessor  being  built  to  serve  as  a  tool  in  our  research  (Osborne,  Gray, 
Robinow,  Halstead).  Within  the  next  month,  several  more  copies  of  the  RIB  will  be 
produced,  and  these  will  allow  us  to  build  increasingly  larger  subsets  of  the  Concert 
multiprocessor,  up  to  the  planned  32-processor  size.  Currently,  there  are  four 
operational  subsections  of  the  Concert  machine,  which  have  allowed  substantial 
software  development  and  experimentation  to  take  place,  even  though  the  units  are 
not  linked  to  each  other  via  RIB’s,  as  will  soon  be  the  case.  The  largest  of  these 
units,  the  "Megatron,"  contains  8  MC68000  processors  and  5.5  megabytes  of 
memory,  and  has  been  operating  reliably  for  a  few  months. 

The  Dynamic  State  Display  (DSD)  prototype,  begun  last  year,  has  been  completed 
(Nuth).  The  DSD  is  capable  of  measuring  and  displaying  in  real  time  various 
performance  parameters  of  the  Concert  multiprocessor,  such  as  the  loading  and 
access  delays  of  the  various  buses  in  the  system.  Use  of  the  DSD  has  already  given 
us  valuable  insight  into  the  performance  of  various  programs,  and  has  confirmed 
that,  for  most  of  the  programs  tested,  the  bandwidth  of  the  Concert  communications 
substrate  has  been  adequate. 

Another  piece  of  performance-monitoring  hardware  that  has  been  constructed  is 
the  Spektron  (Becker,  Sterling).  The  Spektron  measures  the  distribution  of 
interarrival  times  between  specified  events  in  Concert,  and  will  help  us  to  evaluate 
proposed  probabilistic  models  of  the  behavior  of  programs  on  Concert. 
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The  Concert  Display  Driver,  begun  during  the  Spring  of  1983,  has  been  completed 
(Osier).  A  direct-memory-access  front  end  for  loading  display  lists  into  the  Display 
Driver  has  been  built  and  debugged  (Nussbaum).  The  combination  of  these  two 
pieces  of  hardware  is  capable  of  displaying  continuously  changing  gray  scale 
images  on  a  raster-scan  CRT,  based  on  changing  display  lists  computed  in  real  time 
by  multiprocessor  programs  running  on  Concert.  Conversion  of  the  display  driver 
from  monochrome  to  full-color  operation  is  planned. 

3.2.  Software  Construction 

Software  for  the  Concert  multiprocessor  falls  into  main  categories:  support  and 
system  software,  and  programs  of  direct  research  interest.  Support  software 
development  has  continued:  notable  items  include  a  TRIX-like  package  for 
supporting  a  message-passing  style  of  computation  (Halstead),  an  improved 
debugger  (Litman).  a  UNIX-like  file  system  usable  in  a  multiprocessor  environment 
(Kitahara,  Jenez).  an  editor,  using  the  Display  Driver,  for  constructing  descriptions  of 
three-  dimensional  objects  (Broadway),  and  myriad  programs  for  gathering  useful 
statistics  using  the  DSD  (Nuth,  Chang,  Osborne). 

Development  of  the  MultiLisp  language  for  parallel  computation  has  continued 
(Halstead,  Loaiza).  The  principal  conceptual  addition  to  MultiLisp  during  the  past 
year  has  been  the  futures  mechanism.  A  future  is  a  token,  or  place-holder,  for  a 
value  that  has  not  yet  been  computed.  When  the  value  is  computed,  it  replaces  the 
future.  In  the  meantime,  if  any  computation  really  needs  to  know  the  value  of  the 
future,  the  computation  is  suspended  until  the  value  becomes  available.  Many 
computations  that  manipulate  a  value,  for  example,  to  store  it  in  a  data  structure,  do 
not  really  need  to  examine  the  value,  however.  Futures  provide  an  opportunity  for 
extra  concurrency  in  execution  by  allowing  the  computation  of  a  value  to  proceed 
concurrently  with  operations  that  determine  how  the  value  will  be  used. 

Development  of  MultiLisp  has  proceeded  to  the  point  where  there  are  now  over 
3000  lines  of  working  code  written  in  MultiLisp,  including  the  MultiLisp  compiler 
itself,  which  has  been  written  (using  futures)  to  exploit  some  amount  of  parallelism, 
though  not  yet  a  great  deal.  Experiments  with  other,  more  highly  parallel  programs, 
using  the  Megatron,  show  speedups  of  virtually  a  factor  of  eight  when  eight 
processors  are  used.  Measurements  using  the  DSD  show  only  about  20%  of  the 
Megatron's  communication  bandwidth  in  use  during  these  experiments,  which 
augurs  well  for  the  potential  of  MultiLisp  when  more  processors  are  used. 

The  Parallel  Control  Flow  (PCF)  paradigm  for  parallel  computing  has  undergone 
further  development  (Sterling).  Most  of  the  tools  for  processing  PCF  programs  are 
now  in  place,  including  an  assembler  (Noakes)  and  a  compiler  from  the  language 
Simultaneous  Pascal  (Sieving).  An  implementation  of  PCF  on  the  Concert 
multiprocessor  is  now  in  progress  at  Harris  Corp. 
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3.3.  Modeling 

An  analytical  study  of  the  performance  of  the  Concert  multiprocessor,  using 
stochastic  models  of  program  behavior,  is  being  undertaken  by  Osborne.  A  principal 
accomplishment  to  date  has  been  the  construction  of  a  model  for  the  RingBus 
communication  substrate  of  Concert  using  Markovian  decision  theory.  Among  the 
interesting  results  is  the  fact  that  there  is  no  single  optimal  strategy  for  granting 
access  to  the  RingBus:  the  optimal  strategy  depends  on  the  probability  of  different 
kinds  of  requests  arising  in  the  future. 

3.4.  Industrial  Collaboration 

The  first  full  year  of  our  collaboration  with  Harris  Corp.  has  just  been  completed. 
Our  partners  at  Harris  have  spent  most  of  this  period  acquiring  the  necessary 
resources  and  educating  themselves  about  parallel  processing.  However,  several 
efforts  have  been  initiated  which  should  bear  tangible  fruit  within  the  next  year: 

1 )  Harris  has  begun  the  design  of  the  GCM,  a  device  similar  to  the  RingBus 
but  based  on  a  crossbar  switch  (with  the  attendant  higher  performance), 
which  will  be  at  the  heart  of  a  version  of  the  Concert  multiprocessor 
being  constructed  at  Harris  for  their  use; 

2)  Harris  has  committed  to  re-engineering  the  DSD  for  production  in 
printed-circuit  form,  for  their  own  use  and  ours;  and 

3)  Harris  personnel  are  already  helping  with  the  development  of  support 
software  for  Concert  in  several  areas. 


3.5.  Conclusion 

The  Concert  multiprocessor  project  is  finally  emerging  from  a  long  gestation 
period  during  which  necessary  resources  were  accumulated,  necessary  tools  built, 
and  a  critical  mass  of  personnel  accumulated.  The  next  year  should  see  many 
exciting  results  that  will  deepen  our  insight  into  multiprocessor  software  and 
architecture,  and  prepare  the  way  for  the  design  of  systems  capable  of  a  more 
ambitious  degree  of  parallelism. 

4.  VLSI  DESIGN  TOOLS 

During  the  past  year  two  major  RTS  research  efforts  have  addressed  the  problems 
of  simulation  (Terman)  and  integrated  VLSI  design  system  (Zippel).  These  projects 
are  detailed  below. 
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4.1  Simulation 

One  focus  of  our  research  woik  in  the  area  of  C AO  for  VLSI  circuit  design 
continues  to  tie  in  the  aura  of  simulation.  In  particular  the  work  reported  below  aims 
to  increase  the  capacity  of  current  simulation  *ools  through  (!)  the  use  of 
multiprocessors  foi  more  computational  horsepower,  and  (2)  a  reduction  of 
simulation  overhead  toy  compiling  in  line  code  whore  possible  before  starting 
simulation.  Each  of  these  areas  is  discussed  in  more  detail  below. 

In  previous  years,  we  have  reported  on  RSIM  (hymen),  an  event  drive.,  logic  level 
simulator  for  integrated  circuit  designs  incorporating  a  very  efficient  linear  network 
model.  RSIM  has  seen  increasing  use  outside  the-  Mil  community,  and  is  now  the 
major  logic  level  simulator  at  many  university  and  industrial  locations.  Versions  of 
this  simulator  are  included  by  Berkeley  and  the  University  of  Washington  as  part  of 
their  CAD  tool  distributions.  Feedback  from  new  users  has  led  to  improvements  in 
the  the  basic  timing  calculations,  the  user  interface,  and  the  portability  of  the 
implementation.  A  major  revision  of  RSIM  incorporating  those  improvements  is 
scheduled  for  release  in  August  1984. 

Parallel  Simulation  of  Digital  LSI  Circuits:  MulLprOeossor  systems  are 
becoming  available  at  many  organizations  involved  in  LSI  circuit  design,  rin.se 
systems  range  from  mainframes  and  workstations  loosely  coupled  bv  local  area 
networks,  to  dedicated  systems  ot  processors  tightly  coupled  through  shared 
memory.  The  goal  of  the  work  described  in  this  section  is  to  develop  logic,  level 
simulation  algorithms  which  can  take  advantage  of  a  multiprocessor  system  to 
improve  simulation  speed  and  capacity.  This  work  complements  the  investigation 
now  underway  elsewhere  (most  notably  Berkeley)  of  multiprocessor  implementations 
of  lower  level  circuit  analysis  programs,  taken  together  these  effoits  hold  the 
promise  of  a  multi  level  simulation  capability  with  truly  remarkable  performance. 

The  initial  goal  of  our  work  (Inman.  Arnold)  is  to  build  a  multiprocessor 
implementation  of  the  RSIM  algorithms.  Given  the  wide  vuncty  of  multiprocessor 
systems  available,  special  care  is  being  taken  to  ensure  that  flip  implementation  uses 
a  simple  (and  hopefully  universal)  set  of  intei  process  communication  primitives. 
Work  on  the  project  has  just  recently  gotten  underway:  ami  ntly.  there  ate  three 
identifiable  subprojects: 

1)  Conversion  of  the  RSIM  algorithms  to  use  only  fi<ed  point  integer 
arithmetic  (Arnold)  Since  many  of  the.  multiprocessors  incorporate 
CPUs  (c  g  .  the  Mi ,68000)  that  do  not  support  floating  point  calculations 
directly,  this  important  step  ensures  that  no  great  performance  loss  is 
incurred  simply  because  of  moving  out  of  the  VAX  environment.  The  32- 
Pit  arithmetic  provided  bv  most  CPUs  piovldos  over  0  decades  of 
dynamic,  range  enough  to  represent  the  electrical  datum' .-lets  in  which 
we  are  interested. 
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machine  Icams'  to  recognize  inputs  reliably  for  that  individual.  The  program 
emulates  the  behnvioi  of  a  network  of  simple-  finite  state  machines,  which  first 
extract  a  sot  of  basic  features  in  the  form  of  a  string  of  symbols  from  a  discrete,  finite 
alphabet  tor  each  input  character,  and  then  compress  the  representation  to  yield  a 
string  which  uniquely  identifies  the  input.  The  compression  can  be  considered  to  be 
an  absti action  since  this  step  allows  recognition  of  characters  whose  input  features 
do  not  exactly  match  that  from  which  the  compressed  string  was  derived.  This  step 
enormously  compresses  the  amount  of  data  that  must  be  stored  and  searched  to 
perform  the  recognition  task  reliably.  Although  this  research  on  hand-printed 
chat  actor  recognition  may  someday  lead  to  a  useful  end  product,  the  primary 
purpose  of  this  effort  is  to  study  and  experiment  with  various  aspects  of  the 
fundamental  machine  -leaming/patternrecognition  model  used  here  which  is  based 
on  symbol  processing  rather  than  signal  processing. 
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Capsule  system  is  a  partially  successful  attempt  to  provide  mechanism  through 
which  the  programmer  can  truly  express  what  the  program  is  intended  to  do. 

5.  STUDIES  IN  MACHINE  LEARNING 

Exploration  of  bases  for  nonstandard  computer  architectures  (Goblick.  Ward)  has 
led  to  an  interest  in  machine  learning,  i.e..  systems  which  can  improve  their 
performance  with  experience  when  the  desired  system  responses  are  presented 
together  with  the  inputs.  A  universal  goal  among  researchers  in  machine  learning 
seems  to  be  to  emulate  the  powerful  learning  mechanisms  of  biological  organisms, 
especially  the  higher  forms  like  man.  This  image  leads  to  the  study  of  computing 
machines  built  using  a  large  number  of  simple  computing  elements,  each  only 
moderately  reliable,  but  all  intricately  interconnected  to  result  in  excellent  overall 
system  performance  and  reliability.  One  can  imagine  VLSI  chips  containing  large 
arrays  of  identical,  simple,  neuron  like  computing  elements  which  are  not 
programmed  in  the  usual  way.  but  are  'trained'  by  example  to  establish  the  proper 
interconnections  between  elements  to  perform  specific  tasks.  One  example  of  this 
approach  is  that  of  an  associative  memory  to  recognize  patterns  represented  as 
vectors  whose  coefficients  correspond  to  different  features.  The  associative 
memory  can  be  constructed  out  of  a  large  array  of  identical,  simple  processors  to 
compute  the  dot  product  of  an  input  vector  with  each  of  the  set  of  stored  vectors  in 
the  memory. 

While  this  image  is  appealing  to  learning  theorists,  it  is  tantamount  to  putting  the 
cart  before  the  horse  by  asking,  "What  sort  of  interesting  learning  tasks  can  be 
performed  by  machines  composed  of  arrays  consisting  of  certain  kinds  of  computing 
elements?"  The  problem  is  that  the  theory  of  compulation  has  little  to  say  about 
models  of  computation  that  are  complex  enough  to  represent  machines  composed 
of  such  'malleable'  arrays  of  processing  elements.  Another  approach  is  to  first 
devise  algorithms  which  perform  a  certain  learning/recognition  task  adequately,  and 
then  consider  separately  the  implementation  of  these  algorithms  in  hardware  and/or 
software,  taking  into  account  the  constraints  of  available  circuit  and  chip 
technology,  machine  architecture  and  software.  The  advantage  of  this  approach  is 
that  devising  working  algorithms  can  be  done  independently  of  the  technology  used 
to  implement  the  final  solution.  The  disadvantage  is  that  the  algorithms  may  fail  to 
meet  desirable  implementation  criteria,  such  as  the  exploitation  of  massive 
parallelism. 

To  obtain  some  concrete  experience  in  machine  learning,  a  model  was  formulated 
and  programmed  for  the  computer  recognition  of  hand  printed  English  characters 
(letters  and  numerals).  This  program,  running  on  a  T.l.  Nu  Machine,  is  'trained'  by 
an  individual  user  who  enters  hand  printed  characters  via  the  mouse,  together  with 
the  desired  machine  response  for  that  character  (entered  via  the  keyboard),  until  the 
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merely  moves  the  mechanism  we  are  discussing  into  the  compiler.  This  is  the 
fundamental  difference  between  the  Lisp  Machine’s  flavor  system  which  takes  the 
object  oriented  viewpoint,  and  CLU  which  is  function  oriented. 

By  an  object  we  will  mean  something  to  which  a  message  can  be  sent.  This  will 
result  in  one  (or  more  values)  being  returned  and  the  internal  state  of  the  object 
being  changed.  The  action  caused  when  a  message  is  sent  to  an  object  is  called  an 
operation.  A  message  is  a  string  used  to  name  some  operation.  It  contains  no 
internal  structure.  The  piece  of  code  executed  when  a  message  is  sent  to  an  object 
is  called  a  method.  Objects  may  also  contain  internal  state  which  is  kept  in  instance 
variables  that  may  be  referenced  by  the  methods. 

Every  object  belongs  to  a  class  of  equivalent  objects  that  have  the  same  methods 
and  the  same  set  of  instance  variables.  This  equivalence  class  is  called  a  collage. 
Objects  are  created  by  calling  the  function  MAKE-OBJECT  on  a  collage.  The 
methods  are  actually  part  of  the  collage,  so  as  operations  are  added  to  the  collage, 
the  instances  of  the  collage  also  acquire  them. 

The  specification  for  how  a  method  is  to  be  constructed  is  kept  in  a  structure 
called  a  capsule.  When  a  capsule  is  added  to  a  collage,  the  code  within  the  capsule 
is  incorporated  in  one  or  more  of  the  methods  of  the  collage.  Capsules  also  contain 
information  describing  what  their  pieces  of  code  expect  of  the  collage  to  which  they 
are  added  (what  operations  and  instance  variables  there  are.  for  instance). 

When  the  user  creates  a  collage,  he  or  she  specifies  a  protocol  that  the  instances 
of  the  collage  must  satisfy.  The  Capsule  system  is  then  responsible  for  determining 
which  capsules  provide  the  fragments  of  the  protocol  desired  and  which  also  fit 
together.  It  then  combines  these  capsules  to  form  the  desired  collage.  Thus  in  the 
capsule  system,  the  user  specifies  what  the  desired  functionality  of  the  objects  to  be 
created  and  the  system  decides  on  the  implementation.  This  greatly  simplifies  the 
programmers  work  since  there  are  far  fewer  concepts  than  implementations  of 
concepts,  and  also  because  it  allows  different  programmers  to  build  on  each  others 
work  far  more. 

When  the  capsule  system  was  used  to  describe  a  portion  of  the  stream  code  used 
in  the  Lisp  Machine,  we  noticed  that  the  protocol  sp-  cifications  seemed  more 
verbose  than  we  would  have  liked.  Closer  examination  revealed  that  many  of  the 
comments  we  hod  penciled  into  the  version  of  the  code  that  used  flavors  were  being 
translated  into  protocols.  This  reinforces  our  impression  that  the  capsule  system  is 
partially  an  attempt  to  force  the  programmer  to  make  the  code  that  is  written  more 
precise. 

We  feel  that  if  the  programmer  makes  this  effort,  the  programming  system  will  be  in 
a  much  better  position  to  aid  in  the  development  of  large  software  systems.  The 
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synthesis  modules  of  Schema  are  expected  to  rely  heavily  on  the  database  tools  for 
organization  and  the  analysis  tools  for  validation  and  guidance.  In  addition,  the 
results  of  the  synthesis  modules  include  behavioral  descriptions  to  guide  analysis 
and  correction  and  as  guidance  for  lower  level  synthesis  modules.  In  this  section  we 
will  describe  the  basic  organization  of  some  of  the  topological  synthesis  tools. 

The  lowest  layers  of  the  synthesis  layer  consist  of  many  small  specialized  modules 
that  convert  higher  level  specifications  into  augmented  designs.  An  example  of  this 
sort  of  module  would  be  a  buffer  generator.  The  parameters  that  govern  the  design 
of  a  buffer  are  the  input  and  output  level,  noise  margins,  power  consumption,  input 
and  output  capacitances,  rise  and  fall  times,  etc.  All  of  these  parameters  can  be 
specified  at  different  process  corners.  Many  of  these  parameters,  like  nominal  noise 
margins,  are  inherited  from  the  overall  design  specification.  Given  a  subset  of  these 
parameters,  the  buffer  generator  would  attempt  to  chose  a  topology  and  size  the 
devices  to  meet  the  specification.  The  synthesis  module  may  need  to  perform 
simulations  to  make  these  decisions,  for  instance,  to  evaluate  the  impact  of  Miller 
capacitances  in  some  circuit,  or  to  adjust  the  device  sizes  using  a  more  accurate 
device  model  than  is  used  in  the  initial  synthesis  steps.  In  a  very  real  sense  this 
module  would  be  an  expert  in  buffer  design. 

A  slightly  higher  level  expert  would  convert  register  array  specifications  (word  size, 
depth,  cycling  and  power  considerations)  into  a  high  performance,  correctly 
margined  register  array.  Other  experts  will  deal  with  programmed  logic  array  (PLA), 
general  combinational  logic  and  arithmetic  logic  unit  design.  The  existence  of  the 
analysis  modules,  buffer  designer  and  similar  experts  raises  the  semantic  level  at 
which  these  higher  level  synthesis  modules  are  specified. 

Combining  a  number  of  these  tools,  a  datapath  and  microcode  generators  could 
be  built.  At  the  highest  level,  "silicon  compilers"  can  be  constructed  based  on  the 
abstractions  provided  by  the  low  level  "experts."  They  are  responsible  for  balancing 
the  performance/power/noise  considerations  among  the  various  components. 


4.3.  Capsules 

The  Capsule  system  is  progressing  quite  well.  A  preliminary  implementation  has 
been  completed  by  Ramin  Zabih  and  it  is  being  used  to  build  a  simple  algebraic 
manipulation  system  this  summer.  We  expect  to  refine  the  ideas  and  implementation 
significantly  in  the  next  few  months  and  should  have  a  more  generally  usable 
implementation  available  by  the  end  of  the  calendar  year. 

In  the  capsule  system  we  have  assumed  that  all  actions  occur  by  sending 
messages  to  objects  this  is  the  obiect  oriented  viewpoint.  Taking  the  dual  point  of 
view,  where  objects  are  passive  and  the  correct  function  is  chosen  by  the  compiler, 
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Analysis  Layer:  The  second  layer,  the  analysis  layer,  contains  those  tools  that 
ext  act  information  from  a  design.  In  addition  simulators  like  Spice  and  RSIM, 
design  rule  checkers  and  circuit  extractors  we  include  those  modules  that  extract 
higher  level  semantic  information  from  designs.  This  includes  those  tools  that 
combine  behavior  information  with  simulation  results  to  determine  how  a  design 
component  failed.  These  tools  produce  answers  like:  The  pullup  does  not  supply 
enough  current,  and  the  state  machine  was  not  reset  at  the  beginning  of  each  major 
cycle.  Intelligent  front  ends  to  design  rule  checkers  are  also  needed.  Given  the 
circuit  topology  and  masts  together,  they  can  do  a  better  job  dealing  with  more 
complex  design  rules  like  current  or  voltage  sensitive  rules,  and  they  can  give  a  far 
better  characterization  of  what  went  wrong.  Rather  than  a  dozen  spacing  rule 
violations,  it  should  be  possible  to  indicate  that  two  cells  are  too  closely  spaced. 

In  addition,  the  knowledge  contained  in  these  tools  may  be  used  to  constrain  or 
determine  details  in  the  design.  For  instance,  tools  that  convert  DC  currents  and 
voltages  to  device  sizes  use  the  same  models  and  similar  organization  as  do  tools 
that  compute  DC  currents  and  voltages.  In  particular,  certain  components  of 
generic  circuit  optimizers  and  retiming  tools  might  be  components  of  the  analysis 
layer. 

We  have  designed  a  DC  analysis  module  that  allows  the  designer  to  specify  DC 
electrical  parameters  (voltages,  currents,  power,  noise  margins)  which  the  system 
will  use  to  deduce  initial  values  for  device  sizes.  In  addition  it  will  derive  these  DC 
parameters  from  a  completely  sized  schematic  (with  the  help  of  SPICE).  Naturally, 
as  the  design  is  polished  This  has  two  advantages.  First,  topological  specifications 
are  insulated  from  process  variations.  And  second,  although  the  initial  device  sizes 
may  be  modified  as  the  design  is  polished  the  Schema  has  available  detailed 
electrical  information  about  the  intent  of  the  designer  which  can  be  used  to  validate 
the  final  design. 

This  particular  approach  involved  developing  a  small  computer  algebra  package 
for  manipulating  systems  of  algebraic  constraints,  which  was  done.  In  order  to 
check  out  the  package  a  slightly  simpler  problem  was  addressed  determining  the 
voltage  transfer  function  a  linear  system.  I  tie  result  is  a  package  that  allows  the 
designer  to  graphically  specify  a  circuit  involving  linear  components:  resistors, 
capacitors,  inductors  and  operational  amplifiers.  The  Schema  can  then  compute  the 
symbolic  voltage  transfer  function  and  when  asked  will  generate  Bode  and  Nyquist 
plots  for  particular  values  of  the  parameters  of  the  devices.  Tins  educational  tool 
was  put  together  with  two  weekends,  and  indication  of  the  speed  with  which 
interesting  projects  can  be  done  using  the  software  organization  used  in  Schema. 

Synthesis  Layer:  Much  of  the  interest  in  new  style  design  tools  has 
concentrated  on  synthesis  modules  since  these  actually  create  designs.  The 
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the  wires  are  either  horizontal  or  vertical,  when  devices  are  moved  it  makes  sure  that 
wires  don't  end  up  with  negative  length,  and  it  ensures  that  there  are  no  dangling 
wires.  When  a  module  is  deleted,  the  wires  connected  to  it  are  also  deleted.  In 
addition,  when  running  wire  between  two  points,  devices  can  be  inserted  into  the 
wire  with  a  single  mouse  button.  These  facilities  allow  the  designer  to  sketch 
schematics  quite  quickly,  in  much  the  same  manner  as  they  do  on  paper  and  with 
much  cleaner  and  reliable  results.  The  designers  who  have  made  use  of  the  system 
have  generally  been  quite  happy  with  it  and  consider  it  comparable  to  hand 
sketching  in  speed. 

Regardless  of  how  the  schematic  is  modified,  when  the  procedure  is  examined  it 
always  reflects  the  schematic.  Ideally,  everything  that  is  expressible  textually  would 
be  easily  expressible  using  the  graphics  editor.  Though  this  is  difficult,  we  are 
attempting  to  get  as  close  to  this  goal  as  possible.  The  Daedalus  system  provides  a 
similar  interface  to  DPL  for  mask  design.  Our  collaborators  at  Harris,  Corp.  are 
currently  adapting  this  mask  design  system  using  the  tools  in  Schema  in  anticipation 
of  its  incorporation.  This  will  also  give  us  the  opportunity  to  incorporate  the  routing 
and  compaction  work  of  Rivost  and  Leiserson  into  the  mask  level  data  structures  and 
procedures.  We  expect  to  include  structures  like  self  routing  channels  and  switch 
boxes  in  the  basic  library. 

Finally,  there  must  be  some  long  term  storage  system.  This  storage  system  must 
be  reliable,  allow  multiple  designers  to  access  the  same  design  component 
simultaneously  and  yet  provide  interlock  mechanisms  to  ensure  designers  do  not 
interfere  with  each  other.  Katz  [3]  has  discussed  some  of  the  issues  involved  in  such 
a  system.  Our  needs  and  constraints  are  slightly  different  since  the  active  portion  of 
the  database  is  always  kept  in  the  virtual  memory  of  a  Lisp  Machine,  and  among  our 
concerns  is  the  effective  cooperation  of  possibly  isolated  designers.  The  long  term 
storage  system  is  a  repository  for  all  aspects  of  the  design,  schematics,  simulation 
results,  floorplans,  layouts,  architectural  sketches,  textual  notes  about  the  design, 
and  anything  else  the  designer  might  provide. 

The  current  design  for  the  long  term  storage  system  provides  each  designer  with 
his  or  her  own  hierarchy  of  projects.  A  project  is  some  major  design,  typically  a  chip 
or  system.  Projects  contain  schematics.  circuits,  simulation  specifications  and 
results,  floor  plans,  mask  descriptions  and  so  on.  In  general,  more  than  one 
designer  works  on  a  project  at  a  time.  The  hierarchy  of  each  designer  contains  an 
entry  pointing  to  the  project  itself.  Two  approaches  are  being  taken  to  make  the 
hierarchy  more  permanent  a  somewhat  complex  file  server  that  takes  care  of  the 
necessary  locking  and  coordination  mechanisms  and  the  more  fundamental 
approach  of  directly  addressing  the  problem  of  stable  storage  of  Lisp  expressions. 
Though  wo  are  leaning  towards  the  second  solution  as  being  the  correct  solution  in 
the  long  run.  the  modified  file  system  will  also  be  implemented  tor  pragmatic 
reasons.  This  work  is  being  pursued  by  Jeff  Eisen. 
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discrete,  possibly  non  numeric  values,  are  used  for  digital  signals  and  symbolic 
quantities  are  used  for  higher  level  signals.  The  waveform  bounds  developed  by  the 
techniques  of  Rubinstein,  Penfield  and  Horowitz  [2]  can  be  represented  by  using 
open  sets  as  the  waveform  values.  Allowing  open  sets  for  time  coordinates  permits 
us  to  represent  the  qualitative  quantities  needed  for  behavioral  description  [7], 

The  topological,  waveform  and  physical  representations  are  all  specified  by  a 
procedure  as  was  done  in  DPL  [1],  When  this  procedure  is  invoked  it  creates  the 
appropriate  data  structure.  Arguments  can  be  passed  to  the  procedure  to  control 
the  creation  of  the  data  structure  in  any  way  desired.  Since  the  procedure  is  merely 
a  slightly  stylized  Lisp  program,  it  can  perform  any  computation  desired  to  determine 
what  sort  of  structure  to  build.  Arbitrary  (local)  intelligence  can  be  placed  in  this 
procedure  to  create  relatively  intelligent  synthesis  modules.  For  instance,  Mark 
Rose  has  built  a  simple  ALU  generator  module  that  chooses  the  carry  propagation 
scheme  based  on  the  word  length  and  speed  requirements  specified  by  the  designer 
[6]. 

This  technology  is  used  not  only  to  specify  topological  structures,  but  also  to 
specify  waveforms.  In  conjunction  with  a  constraint  system  provided  by  Schema, 
this  provides  an  extremely  powerful  way  of  specifying  both  the  inputs  and  outputs  of 
simulations,  especially  when  difficult  extremes  of  processing  (called  processing 
corners)  must  be  taken  into  account.  In  combination  with  the  waveform  bounds  and 
qualitative  structures  mentioned  above,  the  procedural  capabilities  are  an 
exceedingly  powerful  mechanism  for  describing  the  behavior  of  circuits. 

The  procedural  specifications  of  circuits,  waveforms  and  other  structures  can  be 
tedious.  A  graphics  system  has  been  developed  for  the  circuit  language  that  allows 
this  procedure  to  be  specified  by  drawing  the  circuit's  schematic.  The  schematic 
entry  system  itself  is  rather  interesting.  We  feel  that  unless  designers  find  it  easier  to 
enter  schematics  using  Schema  than  sketching  them  on  paper,  they  would  shy  away 
from  the  system  and  would  delegate  its  use  to  draftsmen,  wasting  all  of  the  design 
knowledge  that  Schema  contains. 

The  basic  interaction  mechanism  of  the  schematic  entry  system  is  similar  to  that 
used  by  Daedalus.  The  designer  uses  a  three  button  mouse  to  for  almost  all  actions. 
The  function  of  the  three  buttons  can  be  modified  by  depressing  any  combination  of 
four  shift  keys.  A  black  bar  just  under  the  schematic  display  is  kept  constantly  up  to 
date  with  the  function  of  each  button  on  the  mouse.  The  eliminates  the  need  for  the 
designer  to  go  to  a  menu  to  select  an  object  or  issue  a  command.  Furthermore,  the 
designer  rarely  moves  his  hands  from  this  basic  position:  right  hand  on  the  mouse, 
left  on  the  shift  keys. 

The  schematic  entry  system  understands  a  certain  amount  about  how  schematics 
are  supposed  to  look.  For  instance,  it  moves  devices  if  necessary  to  ensure  that  all 
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Thus  far,  the  design  of  Schema  has  concentrated  on  the  topological  domain.  This 
is  the  area  that  is  least  thoroughly  explored  and  where  we  intend  to  apply  our 
knowledge  engineering  techniques  first.  Most  designs  begin  with  topological 
specifications  and  elaborate  them  into  physical  specifications,  so  it  is  reasonable  to 
begin  here.  Our  colleagues  at  Harris  Corp.  are  study  the  physical  domain  now,  and 
we  plan  to  bring  the  two  pieces  of  Schema  together  at  the  end  of  this  summer. 

Schema  is  implemented  in  three  basic  layers.  The  database  layer  contains  the 
data  structures  used  to  represent  pieces  of  designs  and  design  processes.  It 
provides  the  primitive  operations  needed  to  manipulate  and  manage  design  objects 
in  a  consistent  manner.  The  analysis  layer  contains  those  routines  that  extract 
information  from  a  design  object:  simulators,  design  rule  checkers,  feature 
extraction  tools,  etc.  Those  tools  that  create  design  objects  are  contained  in  the 
synthesis  layer.  Each  of  these  layers  is  discussed  in  the  following  subsections. 

Database  Layer:  The  data  base  layer  provides  basic  tools  for  building  a  large 
variety  of  structures  used  in  integrated  circuit  design.  The  basic  data  structures  are 
built  using  the  Lisp  Machine’s  flavor  system  [5]  way  that  anticipates  the  Capsule 
system  [8],  This  fundamental  choice  gives  us  more  modularization  flexibility  than 
any  other  programming  technique  available.  In  particular,  it  allows  us  to  build  the 
knowledge  in  layers,  out  of  small  modules,  without  significant  performance 
penalties.  The  flavor  and  Capsule  systems  collapse  the  layers  automatically.  We  will 
be  revamping  the  existing  code  using  Capsules  during  the  next  year  to  eighteen 
months. 

A  number  of  different  facilities  are  needed  to  build  the  data  objects  of  a  VLSI 
design  system.  Among  them  are  prototypes,  hierarchical  structures,  and 
incremental  creation  (creation  on  demand  for  very  large  structures).  We  have  built  a 
library  of  flavors  that  implement  these  facilities  in  a  modular,  reusable  and  efficient 
fashion.  Along  with  a  large  collection  of  other  utilities,  we  have  used  these  flavors  to 
build  circuit  and  waveform  representations  [4],  the  directory  structure  used  to 
manage  projects  and  the  graphics  presentation  structures  for  schematics.  This 
philosophy  of  constructing  small  flavors  (Capsules  in  the  future)  that  implement 
basic  software  concepts  is  being  followed  throughout  the  design  of  the  system,  and 
has  already  allowed  us  to  leverage  our  software  efforts  quite  effectively.  We  expect 
the  library  of  these  facilities  to  increase  dramatically  as  mask  level  structures  are 
introduced. 

The  existing  structures  for  circuits  and  waveforms  are  general  enough  to  deal  with 
circuits  not  only  at  the  transistor  level,  but  also  at  the  gate  level,  at  the  register 
transfer  level  and  at  any  higher  level  where  the  computational  structure  can  be 
expressed  as  a  graph  of  communicating  modules.  Waveforms  with  any  value  set  can 
be  represented.  Real  numbers  are  used  to  represent  analog  voltages  and  currents, 
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the  analysis  job.  Additional  softwaie  is  required  to  determine  the  failure  mechanisms 
from  the  simulation  results  using  the  behavioral  specifications. 

If  the  analysis  routines  uncover  deviations  from  the  specified  behavior,  correction 
modules  are  responsible  for  modifying  the  design  (including  the  behavioral 
description)  to  come  closer  to  the  desired  behavior.  If  the  problems  are  sufficiently 
bod.  the  original  specification  itself  may  need  to  be  modified.  In  simple  cases,  where 
mollifications  are  device  size  adjustments  or  other  well  understood  changes, 
software  tools  will  be  provided  to  close  the  loop.  In  general  though,  we  leave  the 
correction  phase  to  the  humans.  This  is  one  aspect  of  design  that  is  extremely 
poorly  undei stood  and  where  human  creativity  can  be  best  exploited. 

This  general  iteration  structure  may  be  repeated  at  several  levels  by  the  designer- 
each  loop  refining  one  aspect  or  level  of  the  design.  The  analysis  routines  may 
indicate  fundamentally  insoluble  problems  with  the  specifications,  in  which  case  the 
designer  would  have  to  undo  some  higher  level  decisions  previously  thought  to  be 
correct. 

Synthesis  modules  make  use  of  this  structure  to  converge  to  device  sizes  or  to 
determine  the  basic  topology  or  floorplan  of  a  circuit.  Such  a  synthesis  module 
would  use  simplified  correction  modules  as  a  heuristic  means  of  generating 
solutions  to  design  problems.  In  sufficiently  well  understood  situations,  the  heuristic 
correction  module  might  bo  completely  adequate  m  which  case  the  designer  would 
need  never  be  bothered  by  the  correction  phase. 

We  have  divided  the  design  of  integrated  circuits  into  two  domains:  topological 
design  and  physical  design.  Each  of  these  domains  can  be  explored  at  multiple 
levels  of  detail.  At  the  higher  abstraction  levels  (low  detail),  topological  design  is 
concerned  with  architectural/functional  specifications,  iegister  transfer  descriptions 
and  logic  design.  At  the  lowest  abstraction  levels  topological  design  deals  with  the 
particular  transistor  topologies  used  to  implement  logical  functions  and  the  detailed 
electrical  circuit  design  issues  of  the  chip.  The  physical  domain  has  a  similar 
hierarchy.  At  the  highest  abstraction  level,  we  are  concerned  with  pin  count,  power 
utilization  and  speed.  At  lower  levels,  the  concern  moves  to  floor  plans,  power  grids 
and  other  global  organizing  structures.  At  the  lowest  abstraction  levels,  our 
primitives  are  sticks  representations  or  detailed  mask  specifications. 

In  our  observations  of  real  designers  we  have  observed  that  they  spend  a  large 
amount  of  time  going  back  and  forth  between  the  different  design  domains,  refining 
the  design  a  bit  at  each  step.  One  of  the  biggest  problems  in  design  now  is  that 
designers  are  not  able  to  move  between  the  domains  quickly  enough.  Thus  bad 
interactions  between  the  domains  or  misconceptions  between  the  different  designs 
are  not  discovered  until  the  final  layout-very  late  in  the  design  cycle. 
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management  tools  for  VLSI  design.  Second,  the  internal  structures  and  procedures 
are  organized  to  match  as  closely  as  possible  designers'  semantics.  Third,  there  are 
mechanisms  to  capture  the  designer’s  intent  and  where  possible,  all  system  initiated 
inquiries  of  the  designer  ask  for  the  designer's  intent,  not  how  to  solve  the  problem 
at  hand.  Finally,  all  tools  are  organized  to  so  they  can  be  easily  used  both  by  higher 
level  tools  as  well  as  by  designers.  The  following  paragraphs  give  the  basic  user 
interaction  model  for  Schema  and  illustrates  the  type  of  tools  that  make  up  Schema. 


Behavioral  Information 


Figu  re  13*1:  Interaction  with  Schema 

Figure  13-1  gives  a  view  of  the  designer's  interaction  with  Schema  at  some  level  in 
some  design  domain.  The  designer  initially  provides  a  specification  of  the  desired 
module.  A  synthesis  module  converts  this  specification  into  a  design.  Designs 
consist  of  a  detailed  topological  or  geometrical  specification  and  a  behavioral 
description-the  synthesis  module’s  intent.  The  behavioral  description  indicates  how 
the  components  selected  and  connected  by  the  synthesis  modules  are  intended  to 
satisfy  the  designer's  original  specifications. 

By  using  simulation  or  some  other  checking  mechanism,  the  analysis  modules 
attempt  to  verify  that  the  design  meets  the  designer's  original  goals,  as  specified  to 
the  synthesis  module  or  otherwise  made  known  to  the  system.  If  the  design  does  not 
meet  these  goals,  the  analysis  tools  are  expected  to  indicate  the  components  that 
did  not  meet  their  behavioral  specifications  and  in  what  way  they  caused  the  overall 
design  to  fail.  Most  existing  simulation  tools  (e.g.  Spice,  RSIM)  perform  only  part  of 


.206 


REAL  TIME  SYSTEMS 


third  value  "X",  or  "unknown".  If  an  expression  evaluates  to  true,  the 
corresponding  path  exists;  if  the  expression  evaluates  to  false,  no  path  exists.  Since 
nodes  can  have  X  values,  expressions  involving  node  values  can  evaluate  to  X;  in 
this  case,  the  corresponding  path  may  or  may  not  exist.  The  values  of  the  four  node 
equations  can  be  combined  in  a  simple  way  to  determine  the  final  logic  value  of  a 
node.  In  other  words,  all  information  about  paths  in  the  original  network  is  now 
stored  in  the  node  equations,  where  it  can  be  efficiently  utilized. 

Some  circuit  configurations  have  very  simple  connection  paths  during  actual 
operation  of  the  circuit,  but  the  circuits  can  appear  very  complicated  when  no 
information  is  known  about  the  values  of  various  control  lines.  This  is  especially  true 
of  a  circuit  containing  mosfet  switching  logic,  such  as  a  barrel  shifter  or  tally  circuit. 
The  logic  equations  for  a  node  in  such  circuits  can  become  very  large  in  some 
cases,  large  enough  to  be  impractical.  The  compiler  monitors  the  size  of  the 
equations  under  construction;  if  they  grow  too  large,  the  compilation  is  aborted  and 
the  node  is  flagged.  At  simulation  time,  the  value  of  a  flagged  node  is  determined 
using  the  normal  switch  level  simulation  algorithm.  Using  this  technique,  the  speed¬ 
up  in  simulation  afforded  by  the  use  of  logic  equations  can  be  enjoyed  by  circuits 
even  where  100%  conversion  to  equations  is  not  possible.  Here  we  see  one  of  the 
advantages  of  a  general-purpose  computer  over  special  purpose  simulation 
hardware:  reversion  to  ordinary  switch-level  simulation  for  especially  complicated 
circuits  is  easily  accomplished  by  general -purpose  computers,  but  can  be  next  to 
impossible  for  special  purpose  hardware. 

A  prototype  implementation  of  ESIM2  was  built  during  the  last  year,  and  its 
performance  compared  to  that  of  the  original  ESIM  simulator.  ESIM2  was  found  to 
be  50  to  100  times  faster.  Interestingly,  the  more  complex  the  circuit,  the  greater  the 
speed-up;  a  not  entirely  unexpected  phenomenon  since  the  cost  of  re  examining  the 
network  in  the  original  simulator  grows  rapidly  as  network  complexity  increases. 
The  increase  in  performance  provided  by  ESIM2  should  permit  the  simulation  of 
substantially  larger  circuits  than  before  possible. 

4.2.  Schema  Developments 

Schema  is  an  integrated  environment  for  doing  VLSI  design.  By  providing 
canonical  representations  (for  circuits  and  waveforms),  interfaces  and  other  support 
tools,  it  serves  as  a  shell  into  which  a  large  number  of  different  electronic  design 
tools  can  be  plugged.  It  is,  in  a  very  real  sense,  an  operating  system  for  electronic 
design.  In  this  section  we  describe  a  bit  of  the  Schema  philosophy  in  addition  to 
mentioning  the  progress  we  have  made  in  actually  building  the  system. 

There  are  four  basic  tenets  behind  the  organization  of  Schema.  First,  Schema 
provides  a  coherent  and  cohesive  set  of  data  structures,  databases  and  database 
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(e.g.,  command  interpretation,  access  to  the  network  data  base,  model  evaluation), 
and  their  performance  suffers  as  a  result.  Happily,  much  of  this  overhead  can  be 
eliminated  through  the  application  of  traditional  compilation  techniques.  This  is  the 
theme  of  this  section,  and  the  motivation  for  the  development  of  ESIM2  (Terman),  a 
combination  compiler/simulator.  ESIM2  compiles  a  network  into  a  set  of  simulation 
subroutines,  one  for  each  strongly  connected  subnetwork  (i.e.,  pieces  of  the  network 
connected  through  one  or  more  mosfet  source/drain  connections).  Each 
subroutine  computes  the  new  value  of  one  or  more  nodes  from  their  old  values  and 
the  values  of  other  nodes  in  the  network.  While  performing  the  same  simulation 
calculation  as  earlier  switch-level  simulators,  these  subroutines  arrive  at  the  answer 
much  more  quickly  -  performance  improvements  of  two  orders  of  magnitude  are 
typical.  There  has  been  much  interest  recently  in  special  purpose  hardware  for 
simulation  (e.g,  the  IBM  Yorktown  Simulation  Engine,  and  the  Zycad  Logic 
Evaluator).  It  may  be  that  such  developments  are  premature,  and  that  substantially 
better  simulation  performance  can  still  be  obtained  from  general  purpose 
computers. 

The  switch-level  simulation  algorithm  incorporated  in  RSIM  determines  the  value  of 
a  node  from  information  about  the  node's  current  connections  to  VDD  and  GND. 
The  information  is  re-gathered  each  time  a  new  value  is  calculated  for  the  node.  In 
most  cases,  only  a  small  number  of  potential  paths  exist  from  a  node  to  VDD  or  GND. 
This  suggests  that  it  might  be  economical  to  determine  ahead  of  time  the  conditions 
for  which  a  path  exists  to,  say,  GND.  For  example,  the  output  of  a  NOR  gate  with 
inputs  A  and  B  is  pulled  down  if  either  A  or  B  is  non-O.  The  existence  of  a  pulldown 
path  can  be  determined  by  evaluating  the  expression  "A  or  B";  a  search  of  the 
network  is  not  required  to  discover  which  pulldowns  are  currently  conducting. 

ESIM2  builds  a  set  of  four  equations  for  each  node  in  the  network: 

DHa  An  expression  indicating  under  what  conditions  a  path  of 

conducting  n-channel  and/or  p-channel  devices  exists  from 
node  A  to  VDD. 

DLa  An  expression  indicating  under  what  conditions  a  path  of 

conducting  n-channel  and/or  p-channel  devices  exists  from 
node  A  to  GND. 

WHa  Same  as  DHA  except  the  path  contains  at  least  one  depletion 

device. 

WLa  Same  as  DLA  except  the  path  contains  at  least  one  depletion 

device. 

The  equations  involve  ordinary  Boolean  operations,  extended  to  accommodate  a 
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2)  Partitioning  the  network  among  the  available  processors  (Terman). 
Traditional  static  partition  methods  (e.g.,  min-cut)  can  be  used  to  ensure 
that  interprocessor  communication  is  kept  to  a  minimum.  However, 
partitions  built  in  this  way  often  result  in  an  unbalanced  simulation  load, 
where  a  few  of  the  processors  are  responsible  for  a  bulk  of  the 
simulation  computation.  A  pseudo  dynamic  partitioning  scheme  is 
under  investigation.  Here  a  short  simulation  of  the  whole  network  is 
metered  to  determine  which  subnetworks  are  the  most  active.  This 
information  is  used  to  weight  each  subnetwork,  and  the  static 
partitioning  technique  is  augmented  to  minimize  communication  costs 
subject  to  the  constraint  of  keeping  the  total  weight  of  each  processor 
more  or  less  equal. 

3)  Integrating  the  interprocess  communications  with  the  local  simulation 
algorithm  (Arnold).  The  naive  event-wheel  implementation  of  the  RSIM 
algorithm  introduces  an  unwanted  synchrony  between  processors  since 
simulated  time  cannot  advance  on  a  particular  processor  until  it  is  sure 
that  it  will  not  receive  any  more  incoming  events  for  the  current 
simulated  time.  Thus  all  processors  would  run  in  lock-step;  since  the 
simulation  calculation  is  relatively  short,  the  communication  overhead 
would  be  large,  thus  obviating  many  of  the  advantages  of  parallel 
simulation.  To  ease  this  constraint,  we  are  proposing  to  implement  a 
checkpoint/rollback  scheme  for  event  handling.  Every  so  often  the 
state  of  the  event  queue  and  each  network  node  is  saved.  Whenever  an 
event  arrives  which  is  to  be  scheduled  for  a  time  earlier  than  the  current 
simulated  time,  the  simulation  state  is  restored  from  the  latest 
checkpoint  earlier  than  the  new  event.  The  new  event  can  then  be 
scheduled  normally,  and  simulation  proceeds.  A  periodic  global 
synchronization  keeps  the  storage  associated  with  checkpoints  within 
manageable  proportions. 

The  initial  implementation  is  for  the  Concert  multiprocessor,  made  available  to  us 
under  the  offices  of  Prof.  Halstead.  We  also  anticipate  running  some  experiments 
with  our  network  of  Texas  Instrument  NU  machines,  which  will  allow  one  to  compare 
the  performance  tradeoffs  between  a  loosely-coupled  environment  with  the  tightly- 
coupled  Concert  environment.  Finally,  both  Harris  Corporation  and  BBN  have 
volunteered  time  on  their  multiprocessors,  which  will  allow  us  to  transfer  our 
technology  outside  of  MIT. 

Simulation  Using  a  Pre-compiled  Network  Model:  A  major  motivation  for  new 
simulation  technology  is  the  desire  to  improve  simulator  performance.  It  seems  that 
digital  computers  ought  to  be  well  suited  for  the  simulation  of  digital  logic. 
Unfortunately,  current  simulation  schemes  involve  several  layers  of  interpretation 
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SYSTEMATIC  PROGRAM  DEVELOPMENT 


1.  INTRODUCTION 

Over  the  last  year  the  Systematic  Program  Development  Group  has  worked  on  two 
related  projects,  the  Larch  Specification  System  and  the  REVE  Rewrite  Rule 
Laboratory.  The  work  on  Larch  has  been  supported  primarily  by  DARPA,  and  the 
work  on  REVE  primarily  by  the  NSF. 


2.  LARCH 

2.1 .  Summary  of  Status  and  Plans 

The  Larch  Project  is  developing  tools  and  techniques  intended  to  aid  in  putting 
formal  specifications  to  productive  use. 

The  central  component  of  the  project  is  a  two  tiered  approach  to  specification  and 
a  family  of  specification  languages  to  support  this  approach.  Each  Larch  language 
has  a  component  derived  from  a  programming  language  and  another  component 
common  to  all  programming  languages.  We  call  the  former  interface  languages,  and 
the  latter  the  shared  language. 

We  use  the  interface  languages  to  specify  program  modules.  Specifications  of  the 
interface  that  one  module  presents  to  other  modules  often  rely  on  notions  specific  to 
the  programming  language,  e  g.,  its  denotable  values  or  its  exception  handling 
mechanisms.  Each  interface  language  deals  with  what  can  be  observed  about  the 
behavior  of  programs  written  in  its  programming  language  Its  simplicity  or 
complexity  is  a  direct  consequence  of  the  simplicity  or  complexity  of  the  observable 
state  and  state  transformations  of  the  programming  language. 

The  shared  language  is  used  to  specify  abstractions  that  are  independent  of  the 
programming  language.  These  abstractions  are  used  within  specifications  written  in 
the  interface  languages.  The  role  of  shared  language  specifications  is  similar  to  that 
of  abstract  models  in  some  other  styles  of  specification. 

We  have  completed  the  design  and  documentation  of  the  Larch  Shared  Language 
[4][5].  We  have  also  designed  an  interface  language  for  CLU. 

2.2.  The  Larch  Family  of  Specification  Languages 

Some  important  aspects  of  the  Larch  family  of  specification  languages  are: 

•  Composability  of  specifications.  We  emphasize  the  incremental 
construction  of  specifications  from  other  specifications.  Larch  has 
mechanisms  for  building  upon  and  decomposing  specifications  as  well 
as  for  combining  specifications. 
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•  Emphasis  on  presentation.  Reading  specifications  is  an  important 
activity.  To  assist  in  this  process,  we  use  composition  mechanisms 
defined  as  operations  on  specifications,  rather  than  on  theories  or 
models. 

•  Interactive  and  integrated  with  tools.  The  Larch  languages  are  designed 
for  interactive  use.  They  are  intended  to  facilitate  the  interactive 
construction  and  incremental  checking  of  specifications.  The  decision 
to  rely  heavily  on  support  tools  has  influenced  our  language  design  in 
many  ways. 

•  Semantic  checking.  It  is  all  too  easy  to  write  specifications  with 
surprising  implications.  We  would  like  many  such  specifications  to  be 
detectably  in  formed.  Extensive  checking  while  specifications  are  being 
constructed  is  an  important  aspect  of  our  approach.  Larch  was 
designed  to  be  used  with  a  powerful  theorem  prover  for  semantic 
checking  to  supplement  the  syntactic  checks  commonly  defined  for 
specification  languages. 

•  Programming  language  dependencies  factored.  We  feel  that  it  is 
important  to  incorporate  many  programming  language-dependent 
features  into  our  specification  languages,  but  to  isolate  this  aspect  of 
specifications  as  much  as  possible.  This  prompted  us  to  design  a  single 
shared  ianguage  that  could  be  combined  in  a  uniform  way  with  different 
interface  languages. 

•  Shared  language  based  on  equations.  The  shared  language  has  a 
simple  semantic  basis  taken  from  algebra.  Because  of  the  emphasis  on 
composability,  checkability  and  interaction,  however,  it  differs 
substantially  from  the  "algebraic"  specification  languages  we  have  used 
in  the  past. 

•  Interface  languages  based  on  predicate  calculus.  Each  interface 
language  is  based  on  assertions  that  can  be  translated  to  first  order 
predicate  calculus  with  equality.  Each  interface  language  incorporates 
programming-language  specific  features  to  deal  with  constructs  such  as 
side  effects,  exception  handling,  and  iterators.  Equality  over  terms  is 
defined  in  the  shared  language;  this  provides  the  link  between  the  two 
parts  of  a  specification. 

By  referring  to  a  shared  language  component  in  an  interface  specification,  we  gain 
the  advantage  that  every  symbol  in  an  assertion  is  precisely  defined  within  the 
specification  language  itself.  In  some  other  specification  methods  there  is  a  reliance 
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on  an  interpretation  for  symbols  in  an  assertion,  where  the  interpretation  comes  from 
outside  the  specification  language.  In  contrast,  some  other  methods  provide  an 
assertion  language  defined  within  the  specification  language,  but  restrict  the 
symbols  to  come  from  a  fixed  set  of  primitives.  We  gain  the  advantage  that  the  user 
is  able  to  provide  just  the  symbols  necessary  to  write  the  assertions  in  the  body  of  a 
specification. 

2.3.  The  Larch  Editing  Tool 

A  year  ago.  Joe  Zachary  completed  the  design  of  a  syntax-directed  editing  tool  that 
facilitates  the  reading  and  writing  of  Larch  specifications  [23].  This  work  proceeded 
from  the  premise  that  the  time  has  arrived  to  construct  specialized  tools  to  support 
the  specification  process. 

Currently,  a  writer  faces  a  series  of  sequential  syntactic  and  semantic  checks  in 
producing  a  Larch  specification.  Context-free  constraints  are  defined  relative  to  free 
text;  context-sensitive  checks,  relative  to  sentences  in  the  context-free  language; 
and  semantic  constraints,  relative  to  syntactically  correct  text.  This  style  of 
definition  lends  itself  to  a  batch  style  of  text  production,  with  the  editing  and  multiple 
checking  phases  distinct  from  one  another. 

This  style  of  support  is  not  satisfactory,  because  it  focuses  upon  detecting  errors 
some  time  after  they  are  committed.  Encrs  are  often  symptomatic  of  some  more 
fundamental  confusion  and  should  be  pointed  out  to  the  writer  as  they  occur.  For 
this  reason,  the  editing  and  checking  phases  in  the  Larch  editoi  are  integrated.  The 
editor  is  interactively  involved  in  the  incremental  production  and  checking  of 
specification  text.  A  full  range  of  error  prevention,  avoidance,  and  detection  is 
available  automatically  at  all  times  during  the  development  of  a  specification. 

This  year  the  editor  was  partially  implemented.  Suresh  Subramanian  built  the 
kernel  of  the  editor,  which  constructs  and  manipulates  on  abstract  representation  of 
Larch  specifications  [21].  This  module  directly  incorporates  the  details  of  Zachary's 
design.  Rich  Robbins  designed  and  implemented  a  terminal  display  scheme  [19], 
His  design  addresses  the  problem  of  efficiently  updating  a  display  in  the  face  of 
incremental  changes  to  an  abstract  text.  Dave  Detlets  is  currently  integrating  these 
two  modules  with  a  user  interface  to  produce  a  working  editor. 


2.4.  Checking  Larch  Specifications 

Larch  shared  language  specifications  must  meet  a  variety  of  semantic  constraints 
in  addition  to  the  syntactic  constraints  that  are  associated  with  any  formal  language. 
This  semantic  checking  frequently  reveals  subtle  mistakes.  Incorrect  specifications 
are  as  easy  to  write  as  incorrect  programs.  Just  as  the  correctness  of  a  program  can 
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be  partially  established  by  testing  it,  we  can  partially  establish  the  correctness  of  a 
formal  specification  by  proving  theorems  about  it.  Ron  Kownacki  has  developed 
techniques  for  automatically  verifying  that  certain  semantic  requirements  are  met  by 
a  formal  specification  in  the  Larch  shared  language  [12j. 

The  shared  language  is  an  algebraic  specification  language.  Each  shared 
language  specification  has  an  associated  first-order  theory  which  is  essentially  a 
theory  of  equality  on  terms.  The  semantic  constraints  on  shared  language 
specifications  are  defined  with  respect  to  that  theory.  We  have  investigated  the 
requirements  of  consistency  and  completeness.  These  properties  are  defined  in  a 
fashion  that  is  similar  to  the  corresponding  definitions  for  theories  in  first-order 
predicate  calculus.  A  specification  is  consistent  if  its  associated  theory  does  not 
contain  contradictory  formulas.  Completeness  is  related  to  the  adequate  definition 
of  operators. 

We  address  two  independent  aspects  of  the  completeness  and  consistency 
requirements  as  they  are  formulated  for  the  shared  language.  Each  is  considered  in 
a  purely  mathematical  setting  as  well  as  from  an  implementation  point  of  view.  We 
have  derived  necessary  and  sufficient  conditions  that  guarantee  that  these 
properties  hold  in  an  arbitrary  shared  language  specification.  These  conditions 
must  form  the  formal  basis  for  any  automated  checking  procedures. 

The  properties  of  completeness  and  consistency  are  undecidable  for  arbitrary 
theories.  As  there  can  exist  no  effective  checking  procedures,  our  goal  has  been  to 
develop  automated  tests  that  usually  succeed  in  practice.  We  have  found  such 
checking  procedures  for  a  subset  of  the  language.  The  common  styles  of 
axiomatization  that  we  have  observed  have  greatly  influenced  their  design. 

We  cannot  yet  provide  an  assessment  of  how  well  the  automatic  checking  will  work 
m  practice,  because  an  implementation  does  not  yet  exist.  The  automatic  checks 
are  designed  to  be  used  in  conjunction  with  a  theorem  proving  system  that  is  based 
on  term  rewriting  system  technology.  The  effectiveness  of  the  procedures  hinges  on 
the  assumption  that  certain  advances  in  term  rewriting  systems  research  will  be 
forthcoming  shortly.  This  assumption  is  justified  by  the  rapid  progress  that  is  being 
made  in  the  area.  In  the  interim  period,  we  can  assess  our  progress  by  noting  that 
our  semantic  checking  problems  have  been  reduced  to  other  problems  that  are  well- 
known  to.  and  under  investigation  by,  researchers  in  the  field. 

T  here  are  limitations  to  our  results  that  should  be  noted.  The  automated  tests  have 
been  developed  for  only  a  subset  of  the  shared  language.  It  is  unclear  whether  our 
methods  can  be  extended  to  encompass  the  full  language,  although  they  will 
certainly  form  an  important  component  of  any  comprehensive  semantic  checking 
system  Another  inherent  limitation  of  our  approach  is  its  dependence  upon  certain 
styles  of  axiomatization.  However,  this  dependence  seems  to  be  justified  by  the 
undecidability  of  the  problems. 
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A  final  limitation  is  that  we  have  not  always  considered  the  checking  procedures  in 
the  context  of  the  complete  specification  environment.  Shared  language 
specifications  can  bo  combined  and  modified  in  various  ways.  We  would  like  to 
minimize  the  amount  of  checking  that  must  be  repeated  after  these  manipulations. 
However,  changes  to  a  specification  do  not  correspond  directly  to  changes  in  the 
associated  theory.  For  this  reason,  we  consider  semantic  checking  of  an 
incrementally  changing  specification  to  be  a  separate  research  problem. 

The  implementation  of  these  tests  will  rely  heavily  upon  the  technology  of  term¬ 
rewriting  systems.  REVE  (see  Section  3)  will  provide  the  necessary  support  for  this 
project. 


3.  THE  REVE  THEOREM  PROVER 

The  availability  of  automatic  tools  for  reasoning  about  Larch  specifications  is 
essential  to  our  specification  approach,  and  has  influenced  the  design  of  Larch 
itself.  Accordingly,  we  have  devoted  considerable  effort  to  the  further  development 
of  REVE,  a  theorem  prover  for  equational  theories.  REVE  will  eventually  be  used  to 
verify  the  consistency  of  specifications  written  in  the  Larch  shared  language,  and  to 
help  analyze  the  meaning  of  such  specifications  (Section  2.4).  REVE  is  now  in  use  in 
many  laboratories  in  the  United  States  and  abroad. 

Several  procedures  are  known  theorem  proving  using  rewriting  techniques.  The 
most  important  of  those  is  the  Knuth-Bendix  completion  procedure  [11],  which 
attempts  to  "complete"  a  rewriting  system  to  make  it  confluent,  and  thus  provide  a 
decision  procedure  for  the  equational  theory  of  the  rewriting  system.  Knuth  Bendix 
requires  the  use  of  a  unification  algorithm,  and  a  reduction  ordering  on  terms  to 
prove  that  the  rewriting  system  terminates.  The  termination  proof  is  the  chief 
impediment  to  automatic  theorem  proving  with  Knuth-Bendix:  using  current 
technology,  user  interaction  is  usually  required  to  assist  the  system  in  making  the 
appropriate  decisions  during  the  proof.  Many  systems,  such  as  Affirm  [17],  offer  no 
support  for  the  termination  proof, 

REVE  was  developed  in  two  stages.  REVE  1  [13]  was  conceived  and  implemented 
by  Pierre  Lescanne  during  his  visit  with  SPD  in  1980  82.  It  included  one  of  the  first 
implementations  of  Knuth-Bendix  to  deal  effectively  and  flexibly  with  termination. 
REVE  2  [3]  was  engineered  from  the  ground  up  by  Randy  Forgaard  and  Dave 
Detlefs,  expanding  upon  Lescanne's  ideas.  In  addition,  REVE  2  seeks  to  provide  1)  a 
solid  source  code  base  upon  which  to  build,  2)  automatic  theorem  proving 
capabilities,  suitable  for  embedding  in  other  applications,  and  3)  a  friendly  and 
powerful  user  interface.  REVE  2  has  been  modularized  and  documented  to  meet  the 
first  goal,  including  a  complete  set  of  abstractions  pertinent  to  rewriting  applications. 
We  have  made  substantial  progress  toward  the  second  goal  by  incorporating 
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features  into  REVE  2  that  allow  termination  proofs  and  Knuth-Bendix  to  proceed 
nearly  automatically  in  an  intelligent  fashion.  The  third  goal  has  been  addressed 
with  a  flexible  command  interpreter  that  provides  a  rich  set  of  commands,  explicit 
control  over  rewriting  and  termination  proof  strategies,  on  line  help  facilities,  and 
detailed  error  messages. 

The  following  sections  discuss  the  most  significant  aspects  of  REVE.  Section  3.1 
outlines  our  current  work  on  automatic  termination  proofs  in  REVE.  Section  3.2 
describes  REVE’s  failure-resistant  Knuth-Bendix  implementation.  Section  3.3 
discusses  REVE's  role  as  a  rewrite  rule  laboratory,  and  our  work  with  General 
Electric  in  this  regard.  Finally,  Section  3.4  presents  the  REVE  work,  currently 
underway,  that  will  be  the  major  implementation  thrust  in  the  coming  year. 

3.1.  Toward  Automatic  Proofs  of  Termination  for  Rewriting  Systems 

REVE  provides  a  number  of  simplification  orderings  [1]  for  use  by  Knuth-Bendix. 
These  orderings  on  terms  are  a  powerful  means  of  proving  termination:  as  each 
equation  is  turned  into  a  rewrite  rule,  the  rule  is  oriented  so  that  the  left-hand  side  is 
greater  (under  the  ordering)  than  the  right-hand  side.  Recent  simplification 
orderings  are  parameterized  on  a  precedence  (partial  ordering  on  equivalence 
classes  of  the  basic  function  symbols)  and  status  map  (for  each  function  symbol,  the 
relative  importance  of  its  arguments  in  the  simplification  ordering). 

Though  simplification  orderings  are  more  satisfactory  for  automatic  termination 
proofs  than  other  reduction  orderings,  most  simplification  ordering  implementations 
require  that  the  precedence  and  status  map  be  given  a  priori.  This  limitation  is  a 
significant  obstacle  in  the  development  of  automatic  termination  proof  techniques, 
since  there  is  no  easy  way  to  automatically  choose  an  appropriate  precedence  and 
status  map  beforehand. 

To  address  this  difficulty,  REVE  allows  the  precedence  and  status  map  to  be 
extended  incrementally.  Whenever  an  equation  cannot  be  ordered  under  the 
current  precedence  and  status  map,  the  equation  is  presented  to  the  user,  and  the 
user  chooses  extensions  that  might  allow  the  equation  to  be  ordered.  The  recursive 
decomposition  ordering  with  status  (RDOS)  [8][14](15]  gives  partial  support  for  this 
method  by  suggesting  precedence  extensions  that  might  order  the  equation.  Even 
with  the  suggestions  from  RDOS.  however,  the  termination  proof  is  not  automatic. 
RDOS  provides  no  suggestions  for  making  function  symbols  equivalent  in  the 
precedence.  There  is  no  automatic  means  for  deciding  on  the  appropriate  subset  of 
the  RDOS  suggestions  to  use  in  extending  the  precedence.  RDOS  gives  no 
suggestions  for  extending  the  status  map. 

To  solve  these  problems,  we  developed  and  implemented  the  direct  synthesis 
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monotonic  path  ordering  with  status  (DSMPOS)  in  June  1984.  When  an  equation 
cannot  be  ordered,  the  implementation  of  DSMPOS  provides  a  complete  set  of 
minimal  precedence  and  status  map  extensions  that  will  order  the  equation.  If  some 
equation  is  encountered  for  which  there  are  no  such  extensions,  REVE's  "undo" 
facility  can  be  used  to  back  up  to  some  decision  point  and  choose  a  different 
extension  for  a  previous  unorderable  equation.  When  such  a  scheme  is 
systematically  pursued,  it  amounts  to  an  automatic  depth-first  search  for  some 
precedence  and  status  map  that  will  prove  the  termination  of  the  rewriting  system. 
Presently,  REVE  presents  the  complete  set  of  minimal  extensions  to  the  user,  and 
the  user  chooses  one.  We  are  currently  implementing  a  facility  for  automatically 
iterating  over  the  possible  extensions  and  automatically  undoing  when  a  dead  end  is 
reached. 

Although  DSMPOS  and  RDOS  are  the  same  ordering  when  the  precedence  and 
status  map  are  total,  RDOS  can  order  some  equations  that  are  not  orderable  by 
DSMPOS  under  a  partial  precedence  and  status  map.  In  February  1984,  we 
developed  the  exhaustive  monotonic  path  ordering  with  status  (EMPOS),  which  is 
more  powerful  than  RDOS.  and  has  some  of  the  automatic  features  of  DSMPOS. 

Both  DSMPOS  and  EMPOS  are  based  on  the  monotonic  path  ordering  with  status 
(MPOS),  an  improvement  to  the  recursive  path  ordering  with  status  (RPOS)  [I0]that 
makes  the  ordering  monotonic  in  the  status  map.  In  both  RPOS  and  RDOS. 
extending  the  status  map  may  change  the  orientation  of  previous  rewrite  rules,  or 
even  make  previously  ordered  rules  unorderable.  The  monotonicity  properties  of 
MPOS  solve  these  problems. 


3.2.  A  Failure-Resistant  Implementation  of  Knuth-Bendix 

REVE's  Knuth-Bendix  implementation  is  an  improved  version  of  Huet's  [6],  which  is 
itself  a  more  efficient  version  of  the  original  [11],  The  chief  improvements  of  the 
REVE  implementation  over  Huet’s  are: 

•  REVE  does  not  require  that  the  precedence  and  status  map  be  given  a 
priori.  They  may  be  incrementally  extended  as  each  unorderable 
equation  is  considered. 

•  The  user  may  interrupt  and  "undo"  me  completion  process  at  any  time, 
to  return  to  any  previous  decision  point.  This  might  be  used,  for 
example,  to  choose  a  different  precedence  or  status  map  extension  for  a 
previous  unorderable  equation. 

•  REVE's  Knuth-Bendix  does  not  necessarily  fail  when  an  unorderable 
equation  is  found.  If  there  are  no  acceptable  precedence  or  status  map 
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extensions  for  an  unorderable  equation,  the  user  may  postpone  the 
equation. 

•  REVE  incorporates  a  postponement  scheme  that  assists  in  applications 
where  automatic  operation  is  required,  including  the  automatic 
postponement  of  large  equations. 

•  REVE  computes  smaller  critical  pairs  first,  which  can  expedite  the 
completion  process. 


3.3.  Rewrite  Rule  Laboratory 

While  the  progress  of  research  into  rewriting  systems  has  been  significant,  it  has 
been  impeded  by  the  inordinate  difficulty  of  implementing  and  using  the  increasingly 
complex  algorithms  prevalent  in  state-of-the-art  term  rewriting  research.  The  crux  of 
the  problem  is  twofold:  the  large  effort  required  to  build  state-of-the-art  software  and 
the  difficulty  of  acquiring  usable  software  from  others.  The  difficulty  of  acquiring  or 
constructing  good  rewriting  software  serves  both  to  slow  down  the  work  of  those 
already  involved  in  studying  or  using  term  rewriting  systems  and  to  inhibit  the  entry 
of  new  researchers  into  the  field.  It  affects  theoretical  work  as  well  as  application- 
oriented  work. 

To  help  bridge  the  software  gap,  REVE  provides  some  limited  experimentation 
facilities,  and  has  been  carefully  modularized  with  layered,  rewriting-related 
abstractions  to  permit  fast  implementations  of  new  algorithms  using  REVE's 
modules.  In  the  past  year,  researchers  in  several  laboratories  have  successfully 
written  applications  that  use  some  or  all  of  the  modules  in  REVE. 


3.4.  Equational  Term  Rewriting  Systems 

The  correctness  of  Knuth  Bendix  requires  that  the  rewriting  system  terminate  at 
each  step  of  the  procedure.  This  requirement,  together  with  the  limitations  of 
classical  unification,  disallows  the  use  of  useful  permutative  equations  such  as 
commutativity. 

Jouannaud  and  Kirchner  [7][9]  have  addressed  this  problem  by  extending  the 
Knuth  Bendix  procedure  to  operate  upon  an  equational  term  rewriting  system 
(ETRS):  a  rewriting  system  together  with  a  set.  E,  of  equations.  The  equations  in  E 
are  not  converted  into  rules;  instead,  extended  Knuth-Bendix  exploits  a  finite  and 
complete  unification  algorithm  for  the  equational  theory  of  E.  In  a  cooperative 
venture.  Helene  Kirchner  and  Claude  Kirchner  of  the  Centre  de  Recherche  en 
Informatiquo  de  Nancy,  France,  are  developing  REVE  3.  which  will  incorporate  the 
Jouannaud-Kirchner  procedure.  Their  implementation  makes  use  of  the  generalized 
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•  whenever  the  algorithm  produces  a  bisection,  it  is  guaranteed  to  be 
optimal  (i.e.,  the  algorithm  also  produces  a  proof  that  the  bisection  it 
outputs  is  an  optimal  bisection),  for  any  kind  of  graph, 

•  the  algorithm  works  well  both  theoretically  and  experimentally, 

•  the  algorithm  employs  global  methods  such  as  network  flow  instead  of 
local  operations  such  as  2-changes,  and 

•  the  algorithm  works  well  for  graphs  with  small  bisections  (as  opposed  to 
graphs  with  large  bisections,  for  which  random  bisections  are  nearly 
optimal). 


2.6.  Benny  Chor 

My  research  during  the  last  year  was  primarily  concentrated  in  cryptography.  The 
main  results  are  contained  in  two  papers.  One  was  written  jointly  with  Oded 
Goldreich  (to  appear  in  FOCS,  October  19 84)  [5],  and  the  other  with  Ron  Rivest 
(submitted  to  Crypto84)  [6]. 

In  the  first  paper,  we  prove  that  RSA  least  significant  bit  is  1/2  +  1/logcN  secure, 
for  any  constant  c  (where  N  is  the  RSA  modulus).  This  moans  that  an  adversary, 
given  the  ciphertext,  cannot  guess  the  least  significant  bit  of  the  plaintext  with 
probability  better  than  1/2  +  1/logcN.  unless  he  can  break  RSA. 

Our  proof  technique  is  strong  enough  to  give,  with  slight  modifications,  the 
following  related  results: 

1)  The  tog  N  least  significant  bits  are  simultaneously  1/2  +  1/logcN 
secure. 

The  above  also  holds  for  Rabin's  encryption  function. 

Our  results  imply  that  Rabin/RSA  encryption  can  be  directly  used  for  pseudo 
random  bits  generation,  provided  that  factoring/inverting  RSA  is  hard. 

In  the  second,  we  introduce  a  now  knapsack  type  public  key  cryptosystem.  The 
system  is  based  on  a  novel  application  of  finite  fields  arithmetic,  following  a 
construction  by  Bose  and  Chowla.  Appropriately  choosing  the  parameters,  we  can 
control  the  density  of  the  resulting  knapsack.  In  particular,  the  density  can  be  made 
high  enough  to  foil  "low  density"  attacks  against  our  system. 
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and  data  type  declarations.  The  syntax  and  the  semantics  of  the  typed  lambda 
calculus  can  be  made  to  play  a  crucial  role  in  such  descriptions. 

Within  this  framework  I  studied  different  formalisms  that  can  be  used  to  add 
product  and  sum  types  to  the  the  classical  typed  lambda  calculus  that  has  just 
functional  types.  I  compared  the  reduction  theories  corresponding  to  these 
approaches  from  the  perspective  of  strong  normalization  and  Church-Rosser 
results. 

Another  topic  that  I  researched  is  that  of  a  unitary  model  theory  for  type-tree  and 
typed  lambda  calculus.  Within  this  topic  I  studied  the  various  definitions  of  models  of 
the  lambda  calculus  that  appear  in  the  literature  with  particular  emphasis  on  the 
extent  to  which  these  models  behave  like  first-order  algebras. 

More  generally,  when  we  allow  the  types  to  satisfy  constraints  (domain  equations), 
we  are  driven  toward  considering  as  models  (small)  cartesian  closed  categories.  My 
current  research  goal  is  to  describe  a  coherent  model  theory  for  this  situation  that 
would  parallel  and  generalize  the  one  for  the  type  free  lambda  calculus  by  using 
cartesian  closed  categories  instead  of  lambda  algebras. 

2.5.  Thang  Bui 

My  major  research  activity  of  this  year  was  to  analyze  the  performance  of  graph 
bisection  heuristics.  This  work  was  done  in  collaboration  with  S.  Chaudhuri, 
T.  Leighton,  and  M.  Sipser. 

The  graph  bisection  problem  is  the  problem  of  finding  the  minimal  set  of  edges  of  a 
graph  whose  removal  will  divide  the  graph  into  two  disjoint  subgraphs  of  equal  size. 
This  problem  is  known  to  be  NP-complete.  There  are  some  well  known  heuristics  for 
solving  this  pioblem,  e.g.,  the  Kernighan-Lin  algorithm.  However,  no  provable 
performance  of  any  of  these  heuristics  are  known.  The  result  of  our  work  is  a 
polynomial  time  algorithm.  For  every  input  graph,  this  algorithm  either  outputs  the 
minimum  bisection  of  the  graph  or  halts  without  output.  More  importantly,  we  show 
that  the  algorithm  chooses  the  former  course  with  high  probability  for  many  natural 
classes  of  graphs.  In  particular,  for  every  d  >  3.  all  sufficiently  large  n  and  all  b 
=  o(n'  2/M *  the  algorithm  finds  the  minimum  bisection  for  almost  all  d-regular 
graphs  with  n  nodes  and  bisection  width  b.  For  example,  the  algorithm  succeeds  for 
almost  all  5-regular  graphs  with  n  nodes  and  bisection  width  o(n2/3).  The  algorithm 
differs  from  other  graph  bisection  heuristics  (as  well  as  from  many  heuristics  for 
other  /VP-complete  problems)  in  several  respects;  most  notably: 

•  the  algorithm  provides  exactly  the  minimum  bisection  for  almost  all  input 
graphs  with  the  specified  form,  namely  the  d  regular  graphs  with  2rt 
nodes  and  bisection  width  b  -  o(n12/,d  *  f>),  instead  of  only  an 
approximation  of  the  minimum  bisection, 
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obtain  a  decision  procedure  using  d'tteient  notions  of  normal  forms.  Inoced 
Bercovici  proved  that  any  (/<>;)  normal  form  of  a  given  term  is  reachable  through  a 
paiticular  strategy  and  so  the  (possibly  infinite',  set  of  these  forms  arc-  relatively  easy 
to  compute  and  can  he  used  to  compare  terms.  They  are  of  course  mostly  useful  for 
finding  terms  that  are  not  provably  equal.  This  result  was  used  for  finding  unsolvable 
terms  that  are  not  provably  equivalent. 

Another  strategy  has  been  investigated  that  was  inspired  by  the  fixed  point 
semantics  [22j.  Another  direction  ot  work  was  based  on  a  suggestion  of  Michael 
Karr.  He  proposed  a  reduction  system  that  extends  the  (/{»})  rules  plus  x(Yx)  ■>  Yx 
and  is  weak  Chinch  Rosser.  A  refinement  of  the  ideas  used  for  Tint's  proof  of  strong 
normalization  seem  to  be  required  to  make  the  method  work  in  this  case. 


2.3.  Ravi  Boppana 

This  year  I  have  been  doing  research  on  the  complexity  of  Boolean  circuits.  The 
circuit  model  that  I  consider  allows  alternating  levels  of  AND  gates  and  OR  gates, 
witfi  each  gate  allowed  unbounded  frmin  and  fanout,  the  size  of  a  circuit  is  the 
number  of  gates  it  contains,  and  its  depth  is  the  number  of  alternating  levels. 

Furst,  Saxe,  and  Sipscr  [9j,  and  independently  Ajtai  |3j.  have  shown  that  the  parity 
function  (which  is  1  if  an  odd  number  of  its  variables  are  i)  lequuos  more  than 
polynomial  size  to  compute  on  constant  depth  circuits.  Unfortunately,  the  gap 
between  their  lower  bound  and  the  best  known  upper  bound  is  large,  and  the  exact 
complexity  of  the  parity  function  is  still  a  major  open  problem. 

I  haven't  solved  the  above  problem,  but  I  have  been  able  to  solve  a  weaker 
problem.  Consider  the  model  of  monotone  circuits,  which  are  circuits  which  have  no 
negations  appearing  in  them.  In  [4],  l  showed  that  computing  the  majority  function 
(winch  is  1  if  at  least  one  half  of  its  variables  are  1)  on  constant  depth  circuits 
requires  exponential  size. 

This  result  implies  exponential  lower  bounds  for  other  functions  as  well,  including 
graph  connectivity  and  detecting  large  cliques  in  graphs.  These  lower  bounds  are 
obtained  using  constant  depth  reductions. 

Currently  I  am  interested  in  extending  these  results  to  the  case  nonmonotine 
circuits.  Even  improved  lower  bounds  for  depth  3  circuits  would  be  voiy  interesting. 

2.4.  Val  Breazu  Tannen 

My  research  addresses  problems  encountered  when  trying  to  give  adequate 
s<  m.intic  descriptions  for  programming  languages  that  allow  higher  order  procedure 
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2.  MEMBER  REPORTS 

2.1.  Amihood  Amir 

Temporal  Logic:  Piiviousi',  nr  compute  set  of  connectives  was  Known  for 
nonlinear  time  models  A  method  of  const! noting  time  models  with  a  complete  set  of 
conik  ctivcs  is  shown  in  [  1  ]  and  <  ■>  nmples  of  nonlinear  e.piessively  complete  models 
aie  brought  using  this  construction  metnod. 

VLSI  Algorithms:  Planarity  ■.  in  clone  toi  connectivity  of  modules  was  shown  by 
Ron  Pmti  r  to  be  possible  in  Iiih.mi  time.  A  factor,  direct  algorithm  is  given  in  [2]  for 
unfiippabie  modules.  It  the  algorithm  can  tie  adapted  to  the  flippable  case.  It  could 
otter  an  alternative  to  Mopcrutt  and  Taijan’s  planar  graph  embedding  algorithm  in 
some  cases. 

Lambda  Calculus:  Conditions  are  sought  under  which  fragment  of  a  model  • 
base  type  and  some  base  to  base  functions  can  be  embedded  in  a  fixed  or  least  fix 
point  type  frame. 

2.2.  I rina  Bercovici 

Research  in  donotational  semantics  (sec  for  example  (22])  has  strengthened 
interest  in  a  number  of  extensions  of  typed  A  calculus.  The  major  issues  are 
decidability  of  equivalence  and  non  equivalence  of  terms,  complexity  of  decision 
procedures,  fhe  traditional  do'usion  pro.  <-ss  for  establishing  equivalence  of 
A- terms  is:  compute  the  normal  forms  and  compare  tfkrn.  This  idea  works  in 
systems  whose  equivalence  relation  is  based  on  reduction  rules  that  are  Church 
Rosser  and  weakly  normalizable.  One  of tr  n  pioves  these  properties  actually 
proving  only  weak  Church  Rosser  .  but  strong  normalization. 

Bercovici  analyzed  these  properties  for  \  calculus  v.;th  subjective  pairing.  A 
Stronger  and  corrected  version  of  a  paper  by  Gandy  ( 1 0J  proving  strong 
normalization  for  pairing  and  direct  sum  was  obtained  This  new  version  (besides 
correcting  flows  in  the  existing  proofs)  extends  the  method  to  incorporate  the 
axioms  of  subjectivity  for  the  two  new  operations  and  also  does  not  require  the 
assumption  that  the  system  is  weakly  normalizable.  Another  proof  of  strong 
normali/ability  for  the  system  with  subjective  pairing  was  provided  point  work  with 
Michael  Karr.  Harvard)  using  Tait's  method. 

The  real  challenge  is  proving  decidability  for  another  extension  of  the  calculus, 
namely  the  one  endowed  with  the  constant  Y  (at  all  appropriate  types)  and  the  axiom 
Yx  -  x(Yx),  Using  the  rule  Yx  >  x(Yx)  together  with  (/()  and  (ij)  one  obtains  a 
Church  Rosser  system  which  is  obviously  not  terminating  Still  one  may  hope  to 
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1.  INTRODUCTION 

The  Theory  of  Computation  Group  has  had  a  productive  and  prolific  year,  with 
research  progressing  on  many  fronts.  Specifically,  work  was  done  in  the  areas, 
among  others,  of: 

•  models  of  the  (typed  and  untyped)  lambda  calculus 

•  VLSI  placement  and  routing  algorithms 

•  graph  bisection  heuristics 

•  analysis  of  the  security  of  the  RSA  cryptosystem 

•  new  knapsack-type  public-key  cryptosystems 
«  database  theory 

•  pseudo  random  number  generation 

•  knowledge  complexity 

•  new  signature  schemes  resistant  to  adaptive  chosen  message  attacks 

•  systolic  arrays 

•  relativized  computations 

•  algorithms  on  groups 

•  algorithms  for  sliding -block  puzzles 

•  parallel  computation 

•  "fat  tree"  supercomputer  architectures 

•  complexity  of  unification  procedures 

•  complexity-based  theory  of  randomness 

•  circuit  complexity  of  finite  functions 

The  progress  of  the  Theory  Group  is  summarized  in  the  following  reports  by  the 
individual  members  of  the  group. 
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4.  Walters.  M.G,  "An  Illustrated  Object  Code  Optimizer."  S.B.  thesis,  MIT 
Department  of  Electrical  Engineering  and  Computer  Science, 
Cambridge,  MA,  June  1984. 

Theses  in  Progress 

1.  Forgaard,  R.  J.  "A  Program  for  Generating  and  Analyzing  Term 
Rewriting  Systems,"  S.M.  thesis,  MIT  Department  of  Electrical 
Engineering  and  Computer  Science,  Cambridge,  MA,  expected 
September  1984. 

2.  Yelick,  K.A.  "A  Generalized  Approach  to  Equational  Unification",  S.M. 
thesis.  MIT  Department  of  Electrical  Engineering  and  Computer 
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Rewriting  Systems; 
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Wang  Institute; 

IFIP  Working  Group  2.2. 
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•  Minimality:  The  set  of  unifiers  produced  must  be  the  maximally  general 
set. 


•  Efficiency:  Comparisons  must  be  made  between  different  unification 
algorithms  for  the  same  E-theory,  and  between  E- unification  and 
alternative  approaches  to  embedding  the  same  equational  information  in 
the  system. 

The  AC-unification  algorithm  was  studied  in  detail.  The  best  known  algorithms 
[20][16][2],  are  not  minimal.  Although  minimality  can  be  achieved  in  any  E- 
unification  algorithm  by  searching  the  resulting  substitution  set  for  pairs  of 
substitutions  in  which  one  is  a  factor  of  the  other,  this  check  is  very  expensive. 
Minimality  is  important  from  an  efficiency  standpoint  because  otherwise  a  large  set 
of  unifiers  will  have  to  be  handled  fcy  the  surrounding  application.  We  have  found  a 
modification  to  the  published  algorithms  that  eliminates  many  non-minimal  unifiers 
and  improves  the  running  time  on  many  practical  examples. 
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implemented.  In  the  implementation,  new  E-unification  modules  can  literally  be 
plugged  in  by  adding  them  to  the  list  of  currently  supported  algorithms. 

To  justify  the  soundness  of  our  approach,  a  formal  analysis  was  carried  out.  First, 
a  proof  of  correctness  was  found  for  the  generalized  algorithm  to  show  that  all 
substitutions  produced  were  in  fact  unifiers.  Second,  a  proof  of  completeness  was 
developed.  Proving  termination  has  proven  to  be  the  hardest  part  of  the  analysis. 
Given  terminating  E-unification  algorithms,  it  is  possible  that  the  combined 
unification  algorithm  will  not  terminate,  although  no  examples  of  this  have  been 
found.  We  are  currently  looking  for  sufficient  conditions  upon  equational  theories 
that  assure  termination. 

In  addition,  the  unification  algorithms  for  the  associative-commutative  and  empty 
theories  were  implemented  as  the  most  useful  theories  in  practice  and  as  examples 
for  testing  the  generalized  algorithm.  The  following  section  discusses  the  AC- 
unification  algorithm  as  well  as  some  of  the  criteria  used  in  choosing  AC-unification 
as  a  useful  kind  of  E-unification.  The  implementation  effort  was  started  in  October, 
1983  and  a  working  system  was  completed  in  January  of  1984;  another  month  was 
spent  optimizing  and  improving  the  implementation,  particularly  the  associative- 
commutative  algorithm. 

AC-Unification:  To  provide  examples  for  testing  the  generalized  algorithm,  the 
unification  algorithm  for  associative-commutative  theories  was  implemented.  One 
reason  for  choosing  AC  theory  is  that  AC  operators  such  as  multiplication  and 
addition  occur  frequently  in  practice.  A  second  reason  is  that  these  axioms  cause 
difficulties  in  automated  reasoning  systems.  In  PROLOG,  for  example,  if  a  relation  is 
declared  to  be  commutative  using  a  normal  procedure  declaration,  the  program  will 
loop.  The  associative  and  commutative  axioms  cause  similar  problems  in  term 
rewriting  systems.  Finally,  unlike  some  equational  theories  in  which  unification  may 
be  undecidable  or  inherently  non-terminating,  an  effective  unification  algorithm  is 
known  for  AC  unification. 

There  are  five  properties  of  unification  algorithms  that  we  consider  desirable,  listed 
in  decreasing  order  of  importance: 

•  Correctness:  Extraneous  substitutions  that  are  not  unifiers  of  the  input 
terms  cannot  be  produced. 

•  Completeness:  The  set  of  unifiers  produced  must  at  least  contain  all  of 
the  maximally  general  unifiers. 

•  Termination:  This  is  not  always  essential,  depending  upon  the  problem 
domain. 
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unification  strategy  designed  by  Kathy  Yelick  of  SPD,  as  well  as  her  implementation 
of  a  unification  algorithm  for  AC  theories  [22]  (see  below). 

Unification:  Given  two  terms  containing  function  symbols  and  variables,  the 
classical  unification  problem  is  to  find  a  uniform  replacement  of  terms  for  variables 
that  renders  the  two  terms  equal.  For  example,  the  terms  f(g(x),  g(y))  and  f(y,  z)  can 
be  unified  by  replacing  y  with  g(x)  and  z  with  g(g(x)).  We  are  usually  interested  in  the 
variable  to  term  mapping,  called  a  substitution,  which  makes  the  terms  equal,  and 
not  just  in  the  resulting  unified  term.  In  general,  there  are  an  infinite  number  of 
unifying  substitutions  for  two  terms,  but  in  classical  unification  all  unifiers  are  an 
instance  of  a  unique  most  general  unifier. 

The  idea  of  extending  the  unification  process  to  equational  unification  was  first 
suggested  by  Plotkin  [18]),  who  showed  how  it  can  be  used  in  conjunction  with 
resolution-based  theorem  provers.  In  equational  unification,  or  E-unification,  a 
substitution  unifies  two  terms  if  applying  the  substitution  to  the  input  results  in  terms 
that  are  provably  equal  in  a  given  equational  theory.  In  some  equational  theories 
there  is  not  a  single  most  general  unifier  but  rather  of  set  of  maximally  general 
unifiers  which  characterize  the  sot  of  unifying  substitutions. 

Generalized  Unification:  Much  of  the  work  to  date  in  equational  unification  has 
been  theoretically  motivated -  deciding  whether  there  exists  a  unification  algorithm 
for  a  particular  equational  theory  and  what  form  the  algorithm  takes.  The  theoretical 
bent  of  the  field  has  led  to  some  simplifying  assumptions  on  the  structure  of  terms; 
many  of  the  algorithms  are  developed  to  handle  terms  whose  operators  all  have  the 
same  properties. 

Yelick  has  defined  a  generalized  approach  to  the  unification  process  by  showing 
how  algorithms  for  different  equational  theories  may  be  combined  in  some  cases  to 
yield  unification  procedures  for  terms  with  mixed  sets  of  operators.  For  example, 
given  a  unification  algorithm  for  the  associative-commutative,  or  AC  theory,  and 
another  for  the  abelian  group  theory,  we  can  automatically  combine  the  algorithms 
to  unify  terms  such  as  x  +  (y  *  (  z)),  where  *  is  associative  and  commutative  and  + 
and  •  are  operators  of  an  abelian  group. 

The  first  stage  in  developing  the  generalized  algorithm  was  an  analysis  of  the 
unification  process  in  different  equational  theories  to  determine  what  kinds  of 
theories  can  be  automatically  combined  and  which  steps  in  the  unification  process 
are  independent  of  the  equational  theory  being  used.  A  theoretical  description  for 
the  generalized  algorithm  was  made  which  involved  deciding  on  the  exact  interface 
and  functionality  of  all  E  unification  algoiithms  as  well  as  the  encompassing  module. 

A  second  step  was  an  implementation  to  support  the  generalized  algorithm  and 
allow  simple,  automatic  extension  to  new  E  unification  algorithms  as  they  are 


232 


1 1  il-.ORY  Of  COMfnj  I  AT  ION 


2.7.  Stavros  Cosmadakis 

We  continued  our  research  on  the  implication  problem  for  functional  and  inclusion 
dependencies.  Specifically,  we  concentrated  on  the  problem  of  inferring  functional 
dependencies  in  a  pairwise  consistent  multi-relational  database.  We  showed  that 
the  problem  is  undecidablo  in  general,  but  becomes  decidable  if  the  functional 
dependencies  satisfy  an  acyclicity  condition.  Under  that  condition,  we  also  showed 
that  the  problem  is  finitely  controllable,  i.e.,  unrestricted  implication  coincides  with 
finite  implication.  These  results  were  obtained  by  exploiting  a  new  graph -theoretic 
methodology  introduced  in  [7\. 

2.8.  Oded  Goldreich 

During  this  year,  my  main  interests  have  been  in  cryptography  and  especially  in 
two  topics:  strong  pseudo  random  g  lerators  and  the  bit  security  of  the  plaintext 
when  encrypted  using  the  RSA  schei  3. 

2.9.  Shafi  Goldwasser 

Algorithmic  Randomness:  Goldreich.  Goldwasser  and  Micali  [11]  investigated 
the  field  of  algorithmic  randomness.  The  goal  is  to  develop  a  coherent  theory  of 
randomness  based  on  computational  difficulty.  The  approach  is  very  constructive. 
In  view  of  applications,  particular  attention  has  been  devoted  to  finding  the  most 
powerful  properties  of  randomness  that  can  bo  achieved  by  polynomial-time 
simulations. 

The  most  significant  result  is  a  novel  algorithm  that  transforms  any  one-way 
function  (i.e..  a  possible  candidate  is  the  RSA  function)  and  a  secret  randomly 
selected  k  bit  input  'i'  to  a  pseudo  random  function  ft  from  k  bit  strings  to  k  bit 
strings.  These  functions  can  be  used  in  many  applications.  They  are  easy  to  select 
(by  selecting  their  k  bit  index)  and  easy  to  evaluate  (on  inputs  r  and  x,  (x)  is 
computable  in  polynomial  time).  Still  Ihey  cannot  be  distinguished  from  truly  random 
functions  by  any  polynomial-time  algorithm  that  does  not  know  r  but  can  ask  for  and 
receive  the  value  of  the  function  at  inputs  of  its  choice.  The  new  construction  has 
applications  to  cryptography,  complexity  theory  and  distributed  computing. 

Cryptography:  Professor  Goldwasser  and  Professor  Blum  (Berkeley)  proposed  a 
new  probabilistic  Public-Key  Encryption  Scheme  [12].  Every  message,  in  this 
system,  has  many  possible  encodings,  each  of  which  is  selected  by  the  sender  at 
random  via  a  sequence  of  coin  flips.  The  security  of  this  system  is  based  on  the 
assumption  that  the  integer  factorization  problem  is  intractable.  In  particular,  no 
polynomial  time  bounded  line-tapper  can  compute  any  partial  information  about 
messages  from  their  encodings,  unless  factoring  integers  is  in  polynomial  time. 
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Partial  information  is  defined  to  be  any  function  (polynomial  time,  non -recursive...) 
defined  on  the  message  space.  No  deterministic  encryption  scheme,  such  as  RSA, 
could  possibly  pass  such  security  requirements.  Our  scheme  is  comparable  in 
efficiency  with  existing  deterministic  schemes.  I*  requires  constant  data  expansion 
and  is  at  least  as  fast  at  the  RSA  cryptosystem. 

Cryptographic  protocols  are  based  on  the  secrecy  of  some  private  knowledge  and 
should  preserve  such  secrecy.  The  big  open  problems  in  the  area  are  how  to  check 
the  correctness  of  a  cryptographic  protocol  and  when  the  principle  of  modularity 
design  can  be  correctly  applied  (i.e.,  under  which  conditions  correct  subprotocols 
can  be  combined  in  complex  protocols  so  as  to  preserve  correctness).  Goldwasscr, 
Micali  and  Rackoff  [14]  presented  a  novel  computational  complexity  measure  of 
knowledge  and  applied  it  to  cryptographic  protocols.  They  measured  how  much 
knowledge  is  released  by  the  execution  of  a  protocol.  This  lead  to  a  theorem 
fundamental  for  checking  correctness  of  protocols  and  to  discovering  sufficient 
conditions  for  correctly  applying  modular  design. 

Goldwasser,  Micali  and  Rivest  presented  a  new  signature  scheme  [13].  The 
novelty  of  the  scheme  is  that  the  ability  of  foregoing  messages  is  proved 
computationally  equivalent  to  the  problem  of  integer  factorization  (in  previous 
schemes  it  was  only  proved  that  the  ability  to  factor  would  imply  ability  to  forge,  but 
not  vice  versa).  Moreover,  it  is  proved  that  forging  remains  hard  even  if  an  adversary 
is  allowed  to  ask  and  receive  signatures  of  messages  of  his  choice;  i.e.,  the  scheme 
is  secure  against  chosen  ciphertext  attack.  Such  a  security  feature  is  essential  for 
some  applications.  For  example,  a  notary  public  has  no  control  over  the  messages 
that  he  has  to  sign.  He  is  thus  particularly  vulnerable  against  chosen  signature 
attack. 

A.  Yao  shows  how  to  use  the  Exclusive-Or  function  to  transform  a  weak  one-way 
function  (a  function  which  is  hard  to  invert  on  a  polynomial  fraction  of  its  domain) 
into  an  unapproximabte  Boolean  predicate  (a  Boolean  predicate  which  can  be 
computed  no  better  than  by  guessing  at  random,  by  any  polynomial  time, 
probabilistic  algorithm).  Professor  Goldwasser  gave  a  simplified  proof  of  this 
theorem  and  showed  how  to  construct  a  Boolean  predicate  which  is  unapproximable 
if  and  only  if  factoring  is  intractable  using  the  Exclusive-Or  operator.  This  predicate 
has  applications  to  Pseudo  Random  Bit  Generators  and  Public-Key  Encryption. 


2.10.  Ron  Greenberg 

I  have  completed  two  major  projects  during  my  first  year  at  MIT.  The  first  one  is  an 
nMOS  chip  containing  two  processors  for  a  linear-array  systolic  priority  queue  with 
variable  length  keys.  This  helped  educate  me  about  VLSI  design  and  systolic 
systems  rather  than  being  an  original  research  endeavor.  The  second  project  is  a 
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systolic  simulator  intended  to  provide  capabilities  for  describing  systolic  systems  in  a 
concise  way,  simulating  them,  and  performing  analyzes  and  transformations  such  as 
retiming.  I  believe  that  I  have  made  a  good  start,  but  the  simulator  would  benefit 
from  the  addition  of  some  more  descriptional  aids  and  tools  for  analysis  and 
transformation.  Hopefully,  this  project  will  be  put  to  practical  use  in  high  level 
architectural  investigations,  such  as  "fat  tree"  simulations. 

Currently,  I  am  beginning  to  look  into  several  issues  raised  by  Professor 
Leiserson's  work  on  fat  trees. 

2.1 1 .  Ray  Hirschfeld 

Almost  all  oracles  separate  P  and  NP,  which  lends  credence  to  the  conjecture  that 
these  two  classes  are  in  fact  distinct.  No  analogous  result  is  known  for  P  vs.  the 
intersection  of  NP  and  co  NP.  Ray  Hirschfeld  is  working  on  a  version  of  this  problem 
in  which  the  machines  can  take  as  much  time  as  they  wish,  but  can  make  only  a 
limited  number  of  oracle  queries.  This  may  provide  insight  into  the  time  bounded 
case,  which  in  turn  will  shed  some  light  on  the  non-relativized  situation.  The 
relationship  between  these  two  complexity  classes  is  of  practical  importance,  since, 
for  example,  their  equality  implies  that  factoring  integers  is  "easy." 

2.12.  Daniel  Kornhauser 

Daniel  Kornhauser  and  Gary  Miller  found  a  polynomial  time  algorithm  for  deciding 
the  solvability  of  a  certain  pebble  motion  problem  on  graphs,  which  is  a 
generalization  of  Sam  Loyd's  ‘15-puzzle’  and  is  related  to  problems  of  memory 
management  in  totally  distributed  computer  systems.  This  decision  algorithm 
generalizes  an  algorithm  of  R.M.  Wilson  which  applied  only  to  biconnected  graphs 
with  one  blank  vertex. 

They  also  obtained  (with  the  help  of  Paul  Spirakis  at  NYU)  matching  lower  and 
upper  bounds  of  0(n3)  for  the  number  of  moves  required  to  solve  the  pebble 
problem.  Their  approach  allows  solutions  to  be  efficiently  planned.  They  hope  that 
the  algebraic  methods  used  for  this  problem  can  be  applied  to  geometrical  movers’ 
problems  arising  in  robotics. 

Kornhauser  and  Miller  also  studied  the  related  problem  of  the  diameter  of 
permutation  groups  given  by  generators.  They  extended  a  result  of  Driscoll  and 
Furst.  who  proved  a  polynomial  upper  bound  on  diameter  when  the  generators  are 
bounded  cycles,  to  a  moderately  exponential  upper  bound  for  special  cases  of 
arbitrary  length  cycles. 


248 


THEORY  OF  COMPUTATION 


2.13.  Tom  Leighton 

Professor  Leighton’s  current  research  interests  are  centered  on  problems  in  the 
areas  of  parallel  computation,  VLSI  design  and  probabilistic  analysis  of  algorithms. 
In  the  area  of  parallel  computation,  Professor  Leighton  is  developing  algorithms  and 
networks  (such  as  the  mesh  of  trees)  for  very  fast  parallel  computation.  Work  during 
the  past  year  was  highlighted  by  the  discovery  of  the  first  N-node,  bounded-degree 
network  capable  of  sorting  N  numbers  in  0(log  N)  steps.  Since  sorting  is  a 
generalization  of  packet  routing,  the  resulting  network  is  universal  in  the  sense  that  it 
can  simulate  any  computation  on  any  network  with  at  most  an  0(log  N)  factor  of 
delay  in  time,  the  least  possible.  In  addition  to  establishing  the  existence  of  universal 
computers,  the  new  work  may  also  have  applications  to  the  design  of 
supercomputers. 

In  the  area  of  VLSI  design,  Professors  Leighton  and  Bhatt  developed  a  framework 
for  solving  VLSI  graph  layout  problems.  Graph  layout  problems  model  placemenl 
and  routing  problems,  and  the  new  framework  provides  techniques  for  minimizing 
such  cost  functions  as  area,  wire  crossings  and  propagation  delay.  The  framework 
can  also  be  effectively  used  to  design  regular  and  configurable  layouts,  to  assemble 
large  networks  of  processors  using  restructurable  chips,  and  to  configure  networks 
around  faulty  processors. 

In  the  area  of  algorithms,  Professor  Leighton  is  studying  the  average  case  behavior 
of  heuristics  for  NP-complete  problems  such  as  bin  packing  and  graph  bisection. 
Such  problems  have  many  important  practical  applications,  but  no  polynomial  time 
algorithms  are  known  to  solve  these  problems.  As  a  result,  heuristics  are  used  in  the 
hope  that  they  will  work  well  most  of  the  time.  Professor  Leighton  is  developing 
techniques  that  can  be  used  to  mathematically  analyze  the  average  case  behavior  of 
the  heuristics.  The  initial  work  in  this  area  has  been  very  encouraging.  Already,  tight 
bounds  have  been  discovered  for  the  behavior  of  several  commonly  used  bin 
packing  heuristics,  and  a  graph  bisection  heuristic  was  discovered  that  is 
guaranteed  to  work  optimally  for  almost  all  graphs  in  several  natural  classes  of 
graphs.  The  bin  packing  results,  in  particular,  are  also  surprising  since  they 
disproved  several  widely  believed  conjectures. 


2.14.  Charles  Leiserson 

Professor  Leiserson  has  continued  his  investigations  in  the  areas  of  VLSI 
algorithms  and  parallel  computation.  By  combining  work  that  has  been  done  in  VLSI 
layout  theory  and  routing  networks,  he  has  developed  a  new  notion  of  universal 
routing  network  which  includes  the  cost  of  hardware  needed  to  build  the  routing 
network.  He  has  discovered  such  networks  called  "fat  trees,"  whose  layout 
properties  are  based  on  Leighton's  tree  of  meshes.  Fat  trees  are  universal  in  that 
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they  can  simulate  every  interconnection  network,  using  only  slightly  more  time  than 
does  an  optimal  implementation  of  the  network,  given  the  same  hardware  resources. 
Previous  notions  of  universality  have  not  included  the  cost  of  hardware. 

The  work  on  fat  trees  was  stimulated  by  the  Connection  Machine  project  in  the  Al 
Laboratory.  He  and  Professor  Rivest  contributed  to  the  original  design  of  Professor 
Knight’s  cross-omega  network. 

In  the  area  of  systolic  and  semisystolic  design,  Professor  Leiserson  has  developed 
many  transformations  for  optimizing  semisystolic  circuits.  The  tools  include 
retiming,  slowdown,  broadcast  and  census  elimination,  resetting  code  motion, 
coalescing,  and  interlacing,  to  name  a  few. 

Miller  Maley  and  Charles  Leiserson  have  been  studying  the  problem  of  planar 
routing  and  routability.  We  have  begun  to  develop  a  substantial  theory  which  we 
hope  to  incorporate  into  a  layout  compactor  that  does  optimal  jog  introduction. 
Cynthia  Phillips  and  Charles  Leiserson  have  developed  an  0(n  Ig  n)  time  algorithm 
for  finding  the  connected  components  of  a  set  of  rectangles  in  the  plane.  The 
algorithm  is  space-efficient  in  the  sense  that  the  amount  of  primary  memory  required 
is  proportional  only  to  the  number  of  rectangles  cut  by  a  scan  line.  For  VLSI 
applications,  this  number  is  about  the  square  root  of  n,  which  means  that  the 
geometric  design  rules  can  be  checked  for  extremely  large  chips. 

Professor  Leiserson  has  also  developed  several  interesting  chip  architectures. 
One  chip  is  a  fast  concentrator  chip.  This  chip  has  a  set  of  input  lines  and  fewer 
output  lines.  Each  input  line  has  either  a  zero  or  a  one.  The  ones  indicate  the 
presence  of  messages,  and  zeroes  indicate  the  absence.  The  chip  maps  as  many 
input  lines  with  messages  to  output  lines,  and  does  it  by  going  through  only  Ig  n 
gates.  Also,  with  Ray  Hirschfeld  and  Peter  Gabor,  Charles  Leiserson  has  developed 
an  area-efficient  chip  to  do  multiplication  of  complex  numbers. 

2.15.  Miller  Maley 

Charles  Leiserson  and  Miller  Maley  have  examined  the  problem  of  routing  wires  on 
a  single  layer  between  fixed  modules  when  the  topology  of  the  layout  is  given.  They 
have  discovered  a  succinct  characterization  of  the  set  of  such  layouts  that  have 
legal  routings,  and  used  it  to  develop  an  efficient  algorithm  for  testing  routability. 
Recently,  Maley  has  solved  an  important  special  case  of  the  routing  problem,  where 
modules  and  wires  are  constrained  to  lie  in  a  rectilinear  grid.  Over  the  summer,  this 
work  will  be  extended  to  more  general  routing  problems,  and  should  also  lead  to  the 
solution  of  a  problem  of  VLSI  layout  compaction  with  automatic  jog  introduction. 
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2.16.  Silvio  Micali 

Algorithmic  Randomness:  Goldreich,  Goldwasser  and  Micali  investigated  the 
field  of  algorithmic  randomness  [11].  The  goal  is  to  develop  a  coherent  theory  of 
randomness  based  on  computational  difficulty.  The  approach  is  very  constructive. 
In  view  of  applications,  particular  attention  has  been  devoted  to  finding  the  most 
powerful  properties  of  randomness  that  can  be  achieved  by  polynomial-time 
simulations. 

The  most  significant  result  is  a  novel  algorithm  that  transforms  any  one-way 
function  (i.e.,  a  possible  candidate  is  the  RSA  function)  and  a  secret  randomly 
selected  A-bit  input  ‘i*  to  a  pseudo  random  function  fi  from  A-bit  string  to  Ar-bit  strings. 
These  functions  f/s  can  be  used  in  many  applications.  They  are  easy  to  select  (by 
selecting  their  kbit  index)  and  easy  to  evaluate  (on  input  i  and  x,  ft(x)  is  computable 
in  polynomial  time).  Still  they  cannot  be  distinguished  from  truly  random  functions 
by  any  polynomial-time  algorithm  that  asks  for  and  is  given  the  value  of  the  function 
at  various  inputs.  The  new  construction  has  numerous  applications  to  cryptography, 
complexity  theory  and  distributed  computing. 

Cryptography:  Cryptographic  protocols  are  based  on  the  secrecy  of  some 
private  knowledge  and  should  preserve  such  secrecy.  The  big  open  problems  in  the 
area  are  how  to  check  correctness  of  a  cryptographic  protocol  and  when  the 
principle  of  modularity  design  can  be  correctly  applied  (i.e.,  under  which  conditions 
correct  subprotocols  can  be  combined  in  complex  protocols  so  to  preserve 
correctness).  Goldwasser,  Micali  and  Rackoff  [14]  presented  a  novel  computational 
complexity  measure  of  knowledge  and  applied  it  to  cryptographic  protocols.  They 
measured  how  much  knowledge  is  released  by  the  execution  of  a  protocol.  This 
lead  to  a  theorem  fundamental  for  checking  correctness  of  protocols  and  to 
discovering  sufficient  conditions  for  correctly  applying  modular  design.  In  particular 
a  very  efficient  protocol  for  signing  contracts  has  been  found  by  Ben-Or,  Micali  and 
Shamir  [15]. 

Goldwasser,  Micali  and  Rivest  presented  a  new  signature  scheme  [13],  The 
novelty  of  the  scheme  is  that  the  ability  of  foregoing  messages  is  proved 
computationally  equivalent  to  the  problem  of  integer  factorization  (in  previous 
schemes  it  was  only  proved  that  the  ability  to  factor  would  imply  ability  to  forge,  but 
not  vice  versa).  This  scheme  is  even  more  attractive.  It  is  proved  that  forging 
remains  hard  even  if  an  adversary  is  allowed  to  ask  and  receive  signatures  of 
messages  of  his  choice;  i.e.,  the  scheme  is  secure  against  chosen  ciphertext  attack. 
Such  a  security  feature  is  essential  in  some  applications.  For  example,  a  notary 
public  has  no  control  over  the  messages  that  he  has  to  sign.  He  is  thus  particularly 
vulnerable  against  chosen  signature  attack. 
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2.17.  Gary  Miller 

During  the  year  we  have  begun  a  new  research  effort  in  fault  tolerant  computing  in 
a  highly  parallel  environment.  We  are  interested  in  computational  networks  which 
lend  themselves  to  a  maximum  amount  of  parallelism  even  at  the  cost  of  restricting 
the  individual  elements  to  be  extremely  simple.  We  are  also  considering  the 
possibility  that  the  devices  may  error. 

At  this  point  we  have  been  considering  boolean  circuits  with  possible  feedback. 
More  generally,  we  consider  weighted  directed  graphs  where  each  node  is  a 
threshold  device  which  takes  on  states,  say,+1.  We  call  this  a  network  of  threshold 
devices. 

The  calculation  performed  by  a  network  of  threshold  devices  will  depend  on  the 
order  in  which  the  devices  update  there  state.  We  have  considered  several  different 
update  rules  including;  simultaneous  or  synchronous,  random,  and  worst-case 
updating. 

Margaret  Lepley  and  myself  have  been  able  to  construct  networks  which  when 
updated  randomly  run  with  only  an  exponentially  small  probability  of  error.  In 
particular,  we  have  constructed  polynomial  size  random  networks  which  simulate 
synchronous  ones  with  only  log  degradation  in  time  and  only  exponentially  small 
probability  of  error. 

We  are  now  considering  environments  where  devices  may  fail  to  update  correctly. 
The  goal  is  to  construct  random  networks  which  may  also  have  errors.  We  are  fairly 
close  to  such  a  construction. 


2.18.  John  Mitchell 

Unification  algorithms  are  used  in  theorem  provers,  PROLOG  interpreters,  and 
other  symbol-manipulation  tasks.  Several  current  research  efforts  are  aimed 
towards  solving  symbolic  problems  more  quickly  by  using  many  processors  in 
parallel.  With  Cynthia  Dwork  (MIT)  and  Paris  Kanellakis  (Brown  University),  I  proved 
that  unification  is  a  complete  problem  for  the  class  of  problems  that  are  solvable  in 
polynomial  time  [8].  Since  most  complexity  theorists  do  not  believe  that  all  problems 
computable  in  polynomial  time  can  be  solved  appreciably  faster  in  parallel,  it  is 
unlikely  that  a  substantial  speed-up  of  unification  can  be  achieved  using  parallel 
computation.  Our  result  holds  for  a  number  of  variants  of  unification. 

Programming  language  designers  have  studied  compile-time  type  checking  for 
several  years.  It  is  difficult  to  permit  flexible  use  of  procedures  and  still  do  compile¬ 
time  checking.  One  important  kind  of  "permissiveness"  is  to  allow  programmers  to 
write  polymorphic  procedures,  procedures  that  accept  many  different  types  of 


252 


THEORY  OF  COMPUTATION 


parameters.  In  [16][1 7],  I  studied  an  implicit  approach  to  polymorphism  based  on 
algorithms  that  infer  types  for  typeles  programs.  In  forthcoming  work  with  Gordon 
Plotkin  (Edinburgh),  we  formulate  a  strongly-typed  language  with  polymorphic 
functions  and  a  very  flexible  kind  of  data  abstraction.  The  formal  semantics  of  this 
language  is  studied  in  [18]. 


2.1 9.  Andy  Moulton 

During  the  past  year,  I  have  developed  algorithms  to  lay  power  and  ground  wires 
on  a  VLSI  chip.  These  algorithms  form  part  of  the  Placement- Interconnect  (PI) 

System,  developed  under  Professor  Ronald  Rivest.  As  such,  they  take  advantage  of 
the  way  in  which  PI  places  the  logic  modules  and  pads.  The  power-ground 
algorithms  first  lay  a  ground  ring  outside  the  pads,  then  lay  a  power  ring  inside  the 
pads.  The  algorithms  lay  a  tree  that  connects  the  logic  modules’  terminals  to  the 
ground  pad,  then  lay  branches  that  connect  the  logic  modules’  terminals  to  the 
power  ring  without  crossing  the  ground  wires. 

I  finished  my  master’s  thesis,  which  fully  describes  the  algorithms  mentioned  above 
[19].  This  thesis  also  discusses  a  technique  of  keeping  the  power  wires  from 
crossing  the  ground  wires.  A  Hamiltonian  cycle  goes  through  every  module  of  the 
chip  in  such  a  way  that  the  ground  terminals  lie  inside  the  Hamiltonian  cycle  while 
the  power  terminals  lie  outside.  Routing  the  ground  tree  inside  the  cycle  and  the 
power  tree  outside  the  cycle  ensures  that  the  wires  of  one  tree  do  not  cross  the  wires 
of  the  other  tree.  This  technique  is  described  in  a  paper  I  presented  at  the  ACM  IEEE  t 

20th  Design  Automation  Conference  [20], 


2.20.  Cynthia  Phillips 

I  am  writing  a  paper  with  Charles  Leiserson  on  a  space  and  time  efficient  algorithm 
for  finding  the  connected  components  of  rectangles  in  the  plan.  I  plan  to  continue 
work  on  space  efficient  algorithms  for  computational  geometry.  I’ll  also  be  working 
with  Charles  on  "fat  trees". 

2.21 .  Ronald  L.  Rivest 

During  the  past  year,  I  have  worked  on  the  following: 

1)  I  have  continued  working  on  the  PI  Placement  and  Interconnect  system, 
which  is  being  implemented  primarily  by  Alan  Sherman,  Andy  Moulton, 
and  Susmita  Sur.  Andy  Moulton  has  now  finished  his  M.S.  thesis  on  the 
power/ground  routing  phase.  Alan  is  working  on  the  placement  and 
resizing  code,  and  Susmita  has  been  working  the  resizer  as  well. 
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2)  I  have  been  studying  the  theoretical  aspects  of  low- level  sensori  motor 
intelligence,  and  have  been  developing  theories  about  how  intelligence 
can  be  make  sense  of  low-level  inputs.  The  major  themes  are  the 
importance  of  expectations  and  the  treatment  of  expectations  as  "first- 
class"  sensory  inputs. 

3)  I  have  worked  with  Benny  Chor  to  develop  a  new  knapsack-type  public- 
key  cryptosystem,  which  seems  to  avoid  the  weaknesses  present  in 
earlier  knapsack-type  cryptosystems. 

4)  I  have  worked  with  Shafi  Goldwasser  and  Silvio  Micali  on  a  new 
signature  scheme,  which  is  provably  invulnerable  to  chosen-signature 
attacks.  This  result  is  somewhat  paradoxical,  since  previous  attempts  to 
prove  such  invulnerability  have  actually  led  to  weaknesses. 

5)  I  have  begun  work  with  Laura  Yedwab  on  formalizing  the  end  game  in 
GO  using  Conway’s  "number  system". 

2.22.  Alan  Sherman 

Linder  the  supervision  of  Ronald  Rivest,  Alan  Sherman  has  been  exploring  issues 
in  the  theoretical  foundations  of  cryptographic  strength.  In  particular,  Sherman  has 
been  investigating  formal  definitions  of  cryptographic  strength,  relationships  among 
algebraic  and  security  properties  of  cryptographic  functions,  and  the  strength  of 
multiple  encryption.  The  goal  of  this  research  is  to  understand  in  a  precise 
mathematical  sense  what  makes  cryptosystems  secure. 

In  addition,  Sherman  has  also  been  studying  the  problem  of  placing  modules  on  a 
custom  VLSI  chip.  As  a  member  of  the  PI  project,  Sherman  has  developed  and 
implemented  an  efficient  heuristic  placement  algorithm  based  on  a  mincut  strategy. 
More  recently,  Sherman  has  been  working  on  provably  good  algorithms  for 
determining  the  orientation  of  modules  whose  approximate  placements  are  already 
known. 


2.23.  Michael  Sipser 

I  am  continuing  research  on  methods  for  proving  lower  bounds  on  the 
computational  complexity  of  combinatorial  problems.  I  have  been  investigating  the 
analytic  sets  as  a  potential  infinite  analog  to  NP,  and  the  classical  theorem  stating 
that  the  analytic  sets  are  not  closed  under  complement  as  a  means  of  shedding  light 
on  the  NP  vs.  co-NP  question.  I  can  give  a  new,  purely  combinatorial  proof  of  this 
theorem  [21]. 
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David  Barrington,  a  graduate  student  in  the  mathematics  department,  and  I  are 
investigating  finitary  analogs  to  topological  notions  such  as  measure  and  category. 
Ravi  Boppana.  a  graduate  student  in  the  EECS  department,  and  I  are  studying 
problems  in  circuit  complexity.  Steve  Trilling,  a  graduate  student  in  the  EECS 
department,  and  I  are  studying  questions  on  the  definition  of  random  sequences  and 
the  random  oracle  hypothesis. 


2.24.  Steve  Trilling 

I  am  working  with  Mike  Sipser  on  a  complexity-based  theory  of  randomness.  The 
eventual  hope  is  to  find  a  suitable  definition  of  "random  sequence"  and  a  set  of 
conditions  under  which  such  a  sequence  could  be  efficiently  computed.  These 
conditions,  if  they  are  true,  will  be  strong  enough  to  imply  non  trivial  facts  about 
complexity  classes  (i.e.,  perhaps  P  =  R).  Furthermore,  the  conditions  should, 
hopefully,  capture  some  intuitive  notion  of  "random". 
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messages  required  if  communication  is  asynchronous  [4],  However,  tne  proof  in  [3] 
does  not  extend  to  the  case  of  synchronous  communication.  It  is,  therefore,  quite 
natural  to  ask  whether  the  S2(n  log  n)  lower  bound  can  be  extended  to  the 
synchronous  case,  or  whether  there  are  algorithms  that  somehow  make  use  of  the 
synchrony  to  limit  the  number  of  messages  transmitted. 

We  obtain  both  positive  and  negative  answers  to  our  question  of  whether 
synchrony  helps.  On  the  one  hand,  we  show  that  if  processor  id's  are  chosen  from 
some  countable  set  (such  as  the  integers),  then  there  is  an  algorithm  which  uses 
only  0(n)  messages  in  the  worst  case.  The  processors  may  initiate  the  algorithm  at 
different  rounds,  and  do  not  know  the  value  of  n.  Unlike  the  earlier  algorithms,  our 
algorithm  does  not  only  use  comparisons  on  id's  •  it  uses  the  numerical  value  of  the 
id's  to  count  rounds.  The  number  of  synchronous  rounds  used  by  our  algorithm  can 
be  very  large  in  the  worst  case. 

On  the  other  hand,  we  show  that  both  the  departure  from  the  comparison  model 
and  the  possibility  of  using  a  large  number  of  rounds  are  necessary  in  order  to  obtain 
a  linear  communication  algorithm.  More  specifically,  if  the  algorithm  is  restricted  to 
use  only  comparisons  of  id's,  then  we  obtain  an  S’(n  log  n)  lower  bound  tor  the 
number  of  messages  required  in  the  worst  case.  Alternatively,  if  the  number  of 
rounds  is  required  to  be  bounded  by  some  t  in  the  worst  case,  then  there  is  a  (very 
fast-growing)  function  f(n,t)  which  has  the  following  very  interesting  property.  If  id's 
are  chosen  from  any  set  T  having  at  least  f(n,t)  elements,  then  any  t  bounded 
algorithm  requires  S?(n  log  n)  messages  in  the  worst  case.  We  achieve  this  result  by 
giving  a  transformation  from  any  algorithm  to  a  comparison  algorithm.  Both  our 
lower  bound  results  hold  even  in  the  case  that  the  number  of  processors  in  the  ring 
is  known  to  each  processor,  and  all  the  processors  are  known  to  start  at  the  same 
round. 

6.  DISTRIBUTED  NETWORK  ALGORITHMS 

Shmuel  Zaks  has  been  working  on  design  and  analysis  of  algorithms  for  networks 
of  processors,  where  no  central  controller  is  present  and  no  common  clock  is 
available.  The  underlying  communication  networks  usually  dealt  with  are  the 
simplest  kinds:  rings,  trees  and  complete  grapns. 

The  model  usually  used  consists  of  a  network  of  processors,  each  with  a  unique 
identity  known  initially  only  to  itself.  Communication  is  done  via  messages  which 
arrive  in  order  and  after  a  finite  delay,  but  no  a  priori  bound  for  that  delay  is  known. 
Assuming  that  the  computation  cost  and  the  queueing  cost  in  each  processor  is 
negligible  compared  to  the  communication  cost,  it  is  customary  to  measure  the 
complexity  of  such  algorithms  by  the  total  number  of  messages  sent  during  any 
possible  execution.  Previous  work  that  is  related  to  the  work  described  here 


THEORY  OF  DISTRIBUTED  SYSTEMS 


4.3.  Communication  Patterns  in  a  Distributed  System 

Consensus  problems  arise  in  numerous  guises  and  have  traditionally  been  studied 
in  several  forms.  In  "Patterns  of  Communication  in  Consensus  Protocols,"  Dwork 
and  Skeen  explore  the  relationships  among  several  different  versions  of  the 
consensus  problem.  To  do  this  we  define  a  new  notion  of  reducibility.  We  first 
define  for  any  protocol  P  a  partial  ordering  on  the  message-sending  steps  of  an 
execution  of  P.  Intuitively,  the  sending  of  message  ml  precedes  the  sending  of  m2  if 
and  only  if  the  contents  of  ml  may  be  known  to  the  sender  of  m2  when  m2  is  sent. 
We  call  this  partial  ordering  the  communication  pattern  of  the  execution. 

For  any  protocol  Q,  let  the  scheme  of  0  denote  the  set  of  all  communication 
patterns  of  failure-free  executions  of  Q.  A  problem  may  be  characterized  by  the  set 
of  schemes  of  protocols  for  the  problem.  We  say  PI  reduces  to  P2.  written  Pt  <  P2, 
if  and  only  if  the  set  of  schemes  lor  PI  contains  the  set  of  schemes  for  P2. 

Intuitively,  if  Pi  reduces  to  P2,  then  any  protocol  for  P2  can  solve  PI  by  relabeling 
local  states  and  padding  messages.  Consequently,  the  message  complexity 
(measured  in  number  of  messages)  of  PI  is  not  greater  than  the  message  complexity 
of  P2.  Our  method  of  characterizing  and  comparing  problems  is  the  principal 
contribution  of  this  paper.  Given  our  taxonomy  we  use  this  notion  of  reducibility  to 
examine  the  relationships  among  six  practical  problems  with  varying  safeness  and 
livenoss  properties. 

This  work  will  appear  in  this  summer’s  Symposium  on  Principles  of  Distributed 
Computing. 

5.  ELECTION  OF  A  LEADER  IN  A  DISTRIBUTED  RING  OF 
PROCESSORS 

Nancy  Lynch  collaborated  with  Greg  Frederickson  of  Purdue  on  some  work 
involving  bounds  on  the  number  of  messages  required  to  elect  a  leader  in  a 
synchronous  ring  of  processors.  In  this  problem,  there  are  n  processors,  which  are 
identical  except  that  each  has  its  own  unique  identifier.  At  vaiious  points  in  time, 
one  or  more  of  the  processors  "wakes  up"  and  initiate  their  participation  in  an 
algorithm  to  decide  on  a  leader.  The  relevant  resources  for  such  a  distributed 
computation  are  the  total  number  of  messages  used  and  the  amount  of  time 
expended  from  the  time  that  the  first  processor  wakes  up. 

This  problem  has  been  studied  by  many  researchers  [[4],  [5),  [34],  etc.].  The  best 
previous  deterministic  algorithms  have  used  0(n  log  n)  messages  for  either 
bidirectional  or  unidirectional  rings.  These  algorithms  work  for  both  the 
synchronous  and  asynchronous  models,  and  use  comparisons  of  id's  only.  In 
addition.  Burns  has  established  a  lower  bound  of  U(n  log  n)  on  the  number  of 
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4.2.  Byzantine  Agreement 

Brian  Coan  has  been  working  on  randomized  Byzantine  agreement  algorithms. 
Such  algorithms  operate  in  a  system  of  processes  some  of  which  can  fail.  The 
computation  proceeds  in  a  series  of  rounds  in  which  messages  are  sent  and 
received  over  a  network  that  is  fully  connected  and  reliable.  At  each  round,  a 
process  can  use  the  toss  of  a  coin  when  it  decides  on  its  future  actions.  Correct 
processes  toss  fair  coins  and  send  messages  according  to  their  programs.  Failed 
processes  can  send  arbitrary  messages.  Each  process  starts  the  algorithm  with  an 
input  value.  The  goal  is  that  after  sending  some  messages  each  process  will 
produce  an  answer.  There  are  two  requirements  on  the  answer  produced  by  a 
correct  algorithm.  If  the  same  input  was  distributed  to  all  processes,  then  this  value 
must  be  the  answer  of  all  correct  processes.  In  any  event,  all  correct  processes 
must  agree  on  some  common  answer  value. 

Coan  has  developed  a  randomized  Byzantine  agreement  algorithm  that  terminates 
in  an  expected  number  of  rounds  that  is  smaller  than  the  known  lower  bound  (due  to 
Fischer  and  Lynch  [17])  on  the  number  of  rounds  required  by  a  deterministic 
Byzantine  agreement  algorithm.  Further  improvements  have  been  made  in  the 
algorithm  by  Chor.  The  algorithm  is  of  interest  for  several  reasons.  It  is  simple  and 
efficient  enough  to  be  of  practical  importance.  Also,  it  is  an  example  of  a  situation 
where  randomization  improves  on  the  problem  solving  power  of  a  system  of 
computers.  Although  randomization  is  vital  to  the  algorithm,  it  is  used  sparingly. 
The  expected  number  of  coin  tosses  per  process  is  less  than  one.  The  algorithm 
incorporates  some  ideas  from  a  deterministic  Byzantine  agreement  algorithm 
developed  previously  by  Turpin  and  Coan  [38]. 

The  best  previously  known  randomized  algorithm  is  due  to  Ben-Or  [3].  It  was 
primarily  developed  to  operate  in  an  asynchronous  system,  but  also  operates  in  a 
synchronous  system.  Ben-Or's  algorithm  has  the  disadvantage  that  it  either  requires 
a  large  number  of  rounds  of  communication  or  a  large  number  of  processes.  In  the 
synchronous  case,  the  new  algorithm  improves  on  this  substantially;  although, 
unfortunately,  the  new  algorithm  appears  not  to  generalize  to  the  asynchronous 
case. 

A  related  algorithm  is  due  to  M.  Rabin  [35].  Rabin's  algorithm  is  more  efficient  than 
our  new  algorithm;  however,  it  achieves  this  efficiency  at  the  expense  of  requiring 
more  powerful  processes.  In  particular,  his  algorithm  requires  authentication  and  a 
global  coin  toss  by  means  of  Shamir's  shared  secret.  The  shared  secret  must  be 
pre  computed  by  a  trusted  administrator.  There  are  two  disadvantages  of  this.  It 
reduces  the  amount  of  autonomy  of  individual  nodes  and  the  shared  secret 
represents  an  expensive  resource  that  is  partially  consumed  each  time  the  algorithm 
is  executed. 
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Results  of  [18]  have  shown  that  the  problem  of  reaching  distributed  consensus  in 
the  presence  of  even  a  single  faulty  processor  (even  if  it  can  only  fail  by  stopping)  is 
unsolvable  in  a  completely  asynchronous  environment.  Results  of  [9]  have  refined 
those  of  [18]  by  showing  that  the  problem  cannot  be  solved  even  in  the  case  where 
only  the  communication  (but  not  the  processors)  is  asynchronous  or  in  the  case 
where  only  the  processors  are  asynchronous.  We  considered  the  question  of 
weakening  the  requirements  so  that  (1)  processors  never  reach  disagreement,  no 
matter  how  asynchronously  the  system  runs,  and  (2)  if  there  is  ever  some  sufficiently 
long  interval  of  time  during  which  the  system  behaves  synchronously,  then 
agreement  is  guaranteed.  We  assume  that  the  processors  have  no  way  of  knowing 
when  this  interval  occurs. 

We  have  found  an  algoritnm  requiring  2f  +  1  processors  (where  t  is  the  maximum 
number  of  faulty  processors)  which  solves  this  problem  for  the  simplest  kinds  of 
failures  •  just  stopping,  or  else  omitting  some  messages.  The  algorithm  is  similar  in 
general  style  to  some  "two-phase  commit"  algorithms  in  the  literature.  Our 
algorithm  can  be  modified  to  tolerate  Byzantine  faults  with  authentication,  using  3f 
+  1  processors,  and  to  tolerate  Byzantine  faults  without  authentication,  using  4f  +  1 
processors.  (A  more  complicated  and  costly  algorithm  can  also  be  designed  for  this 
latter  case,  using  only  3f  +  1  processors.)  All  of  these  bounds  are  tight. 

All  of  the  results  described  above  were  first  proved  for  the  case  where  the 
processors  are  always  synchronous  (i.e.  have  built-in  "clocks"  which  go  at  the  same 
rate)  but  communication  is  subject  to  variations  in  its  synchrony.  We  later 
discovered  that  all  of  the  results  still  hold  for  the  case  where  both  the  processors  and 
the  communication  system  are  subject  to  variations.  The  basic  idea  in  the  latter  case 
is  to  have  the  processors  implement  fault-tolerant  versions  of  Lamport's  clock  [28], 
and  use  those  clocks  in  place  of  the  built  in  clocks,  to  control  the  execution. 

We  also  considered  the  case  where  communication  is  assumed  to  be  synchronous 
but  processors  are  asynchronous.  We  have  obtained  algorithms  and  lower  bounds 
for  various  types  of  faults  in  those  cases  as  well.  Most,  but  not  all  of  these  results  are 
tight. 

An  interesting  sidelight  is  that  our  algorithms  also  work  under  an  alternative  style 
of  "partially  synchronous"  assumption.  Namely,  we  might  assume  tnat  there  exist 
upper  bounds  on  message  delivery  time  (or  on  the  ratio  between  speeds  of 
processors),  but  that  those  bounds  are  not  known  to  the  processors  themselves.  If 
assumptions  in  this  stylo  are  used  in  place  of  assumptions  about  intervals  of 
synchronous  behavior,  the  same  algorithms  still  work. 

This  work  will  appear  in  this  summer’s  Symposium  on  Principles  of  Distributed 
Computing, 
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The  special  structure  erf  state  transition  specifications  can  be  exploited  to  obtain 
proof  techniques.  The  Correctness  Theorem  gives  sufficient  conditions  for  an 
implementation  to  be  correct  with  respect  to  state-transition  specifications.  A 
Completeness  Theorem  shows  that  correctness  proofs  of  the  form  suggested  by  the 
Correctness  Theorem  exist  for  correct  implementations,  assuming  the  specifications 
satisfy  certain  well-formedness  properties.  A  Consistency  Theorem  gives  sufficient 
conditions  for  showing  state-transition  specifications  to  be  consistent. 

An  important  concept  tor  structuring  specifications  and  correctness  proofs  is  the 
notion  of  rely -  and  guarantee-conditions.  A  rely-condition  expresses  conditions  a 
module  relies  on  its  environment  to  provide,  and  a  guarantee  condition  expresses 
what  the  module  guarantees  to  provide  in  return.  Significant  simplification  in  proofs 
of  correctness  can  result  if  specifications  are  written  so  that  what  each  module 
guarantees  to  its  neighbor  is  exactly  what  the  neighbor  relies  on  the  module  to 
provide.  Under  these  conditions,  the  rely-  and  guarantee  conditions  "cut"  the 
interdependence  between  modules  in  much  the  same  way  as  a  loop  invariant  cuts 
the  dependence  of  one  iteration  of  a  loop  of  the  preceding  and  succeeding 
iterations.  In  the  thesis,  a  theorem  is  proved  that  shows  how  this  idea  can  be 
captured  in  terms  of  a  useful  proof  technique. 

The  techniques  developed  in  the  thesis  are  applied  to  obtain  specifications  and 
rigorous  proofs  of  correctness  for  three  example  implementations:  a  synchronizer 
module,  for  synchronizing  the  access  of  a  number  of  user  processes  to  a  single 
shared  resource,  a  resource  manager  module,  which  allocates  a  finite  set  of 
resources  in  response  to  user  requests,  and  a  message  transmission  module,  which 
uses  the  alternating  bit  protocol  to  construct  a  reliable  message  transmission  service 
from  an  unreliable  substrate. 

4.  DISTRIBUTED  CONSENSUS 

A  large  amount  of  effort  went  into  various  problems  of  distributed  consensus  this 
year.  Nancy  Lynch  and  Cynthia  Dwork  collaborated  with  Larry  Stockmeyer  on 
results  about  reaching  consensus  in  a  partially  synchronous  environment.  Brian 
Coan  obtained  several  results  about  Byzantine  agreement.  Cynthia  Dwork 
collaborated  with  Dale  Skeen  in  work  on  communication  patterns  for  distributed 
consensus  algorithms. 

4.1 .  Reaching  Consensus  in  a  Partially  Synchronous  Environment 

Cynthia  Dwork.  Nancy  Lynch  and  Larry  Stockmeyer  of  IBM  San  Jose  collaborated 
in  work  involving  the  problem  of  reaching  consensus  in  a  partially  synchronous 
environment. 
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3.  FOUNDATIONS  OF  A  THEORY  OF  SPECIFICATION  FOR 
DISTRIBUTED  SYSTEMS 

Gene  Stark's  Ph.D.  dissertation,  entitled:  "Foundations  of  a  Theory  of  Specification 
for  Distributed  Systems,"  is  near  completion.  This  thesis  accomplishes  the  following 
tasks:  (it  the  development  of  a  mathematical  model  of  distributed/concurrent 
computer  systems,  which  incorporates  as  fundamental  notions  the  concepts  of 
hierarchy  and  modularity,  (2)  the  use  of  the  model  as  a  basis  for  the  investigation  of 
a  particular  approach,  called  state-transition  specification,  to  specifying  and  proving 
the  correctness  of  distributed  systems,  and  (3)  the  application  of  the  state-transition 
specification  and  proof  techniques  to  some  nontrivial  example  problems.  Important 
features  of  this  work  include:  the  integration  of  the  notions  of  hierarchy  and 
modularity  into  a  theory  of  specification,  the  ability  to  specify  both  safety  (invariance) 
and  liveness  (eventuality)  properties  of  systems,  and  to  reason  about  these 
properties  in  a  single  framework,  and  the  development,  as  an  integral  part  of  the 
technique  of  state-transition  specification,  of  a  systematic  method  for  constructing 
proofs  of  correctness. 

The  mathematical  model  provides  the  following  primitive  notions:  An  event  is  an 
instantaneous  observable  occurrence  during  the  operation  of  a  computer  system. 
An  observation  is  a  record  of  the  event  occurrences  that  took  place  during  a 
particular  execution  of  a  system.  The  behavior  of  a  system  is  the  set  of  all 
observations  that  can  be  produced  by  the  system,  in  all  its  executions.  Abstraction 
maps  and  decomposition  maps  capture  formally  the  notions  of  hierarchy  and 
modularity.  An  abstraction  map  maps  an  observation  representing  a  detailed  view  of 
system  execution  into  an  observation  representing  a  less  detailed  view  of  the  same 
execution.  A  decomposition  map  is  a  vector  of  projections,  each  of  which  takes  an 
observation  for  a  "composite"  system  and  localizes  that  observation  to  a  particular 
component  module.  From  these  primitive  notions,  it  is  possible  to  define,  in  a 
specification-language-independent  and  programming-language-independent  way, 
the  notions  of  implementation  and  correctness  of  an  implementation,  as  well  as  the 
notion  of  consistency  of  specifications. 

The  purpose  of  a  specification  is  to  describe  a  set  of  allowable  observations  for  the 
module  being  specified.  In  a  state-transition  specification,  this  set  of  allowable 
observations  is  described  by  a  pair  <M,  V>,  where  M  is  a  kind  of  nondeterministic 
machine  that  generates  an  observation  as  it  executes,  and  V  is  a  subset  of  the  set  of 
computations  of  M,  called  the  set  of  valid  computations.  An  observation  is  allowable 
if  and  only  if  it  is  produced  in  some  valid  computation.  The  state-transition  approach 
appears  to  provide  a  natural,  straightforward  strategy  for  turning  an  intuitive 
understanding  of  the  desired  function  of  a  module  into  a  formal  specification.  Safety 
properties  are  incorporated  into  the  description  of  the  machine  M,  and  liveness 
properties  are  captured  by  the  set  of  valid  computations  V. 
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Our  algorithm  can  be  modified  to  allow  a  faulty  process  which  has  been  repaired  to 
synchronize  its  clock  with  the  other  nonfaulty  processes.  Let  p  be  the  process  to  be 
reintegrated  into  the  system.  We  assume  that  p  can  awaken  at  an  arbitrary  time 
during  an  execution,  perhaps  during  the  middle  of  a  round.  It  is  necessary  that  p 
identify  an  appropriate  round  i  at  which  it  can  obtain  all  the  clock  values  from 
nonfaulty  processes.  Since  p  might  awaken  during  the  middle  of  a  round,  it  will  first 
orient  itself  by  observing  the  arriving  messages,  allowing  part  of  a  round  to  pass 
before  it  begins  to  collect  messages.  After  orienting  itself,  p  continues  to  collect 
clock  values  during  an  interval  of  time  long  enough  for  p  to  hear  from  all  nonfaulty 
processes.  Immediately  after  p  determines  it  has  waited  long  enough,  it  carries  out 
the  same  averaging  procedure  described  earlier  and  determines  a  correction  to  its 
clock. 

The  problem  solved  by  this  algorithm  is  only  that  of  maintaining  synchronization  of 
local  times  once  it  has  been  established.  There  is,  of  course,  the  separate  problem 
of  establishing  such  synchronization  in  the  first  place  among  processes  whose 
clocks  have  arbitrary  values.  Our  second  algorithm  is  a  variant  of  our  first,  and  is 
used  to  establish  the  initial  synchronization.  We  have  also  designed  an  interface 
between  the  two  algorithms,  since  we  envision  the  processes  running  our  second 
algorithm  until  the  desired  degree  of  synchronization  is  obtained,  and  then  switching 
to  the  maintenance  algorithm. 

The  structure  of  the  algorithm  is  similar  to  that  of  the  algorithm  which  maintains 
synchronization.  It  runs  in  rounds.  During  each  round,  the  processes  exchange 
clock  values  and  use  the  same  fault-tolerant  averaging  function  as  before  to 
calculate  the  corrections  to  their  clocks.  However,  each  round  contains  an 
additional  phase,  in  which  the  processes  exchange  messages  to  decide  that  they  are 
ready  to  begin  the  next  round.  This  algorithm  also  synchronizes  the  clocks  to  within 
about  4e. 

Our  algorithms  will  appear  in  this  year's  Symposium  on  Principles  of  Distributed 
Computing,  in  a  special  session  devoted  to  clock  synchronization. 

Several  results  similar  to  last  year's  lower  bound  result  [31]  appeared  this  year  in 
[10].  It  became  apparent  that  all  of  these  results  are  addressing  questions  which  are 
special  cases  of  a  single  general  problem:  that  of  determining  possible  closeness  of 
synchronization  for  arbitrary  network  graphs  with  arbitrary  communication 
uncertainties.  With  Joe  Halpern,  we  spent  some  time  attempting  to  solve  the  general 
problem,  but  have  so  far  not  obtained  any  interesting  results. 

Mandy  Ng  has  simulated  our  clock  synchronization  algorithm  as  a  UROP  project. 
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timer  to  go  off  at  a  specified  time  in  the  future.  Formally,  timers  are  treated  similarly 
to  messages  between  processes.  The  system  is  interrupt-driven  in  that  a  process 
only  takes  a  step  when  a  message  (i.e.,  a  timer  or  a  message  from  another  process) 
arrives.  We  consider  only  the  case  where  the  message  network  is  completely 
connected.  All  messages  are  delivered  within  a  fixed  amount  of  time  plus  or  minus 
some  uncertainty. 

Keeping  the  local  times  of  processes  in  a  distributed  system  synchronized  in  the 
presence  of  arbitrary  faults  is  important  in  many  applications  and  is  an  interesting 
problem  in  its  own  right.  Taking  into  account  the  clocks’  drift  from  real  time  and 
varying  message  delivery  times  makes  the  problem  more  realistic  and  more 
challenging.  In  order  to  be  truly  useful,  a  solution  to  this  problem  must  allow  faulty 
processes  that  have  recovered  to  be  reintegrated  into  the  system.  Our  first  algorithm 
meets  these  requirements,  assuming  that  the  clocks  are  initially  close  together  and 
that  fewer  than  one  third  of  the  processes  are  faulty.  (A  result  in  [10]  indicates  that 
this  proportion  of  faulty  processes  is  the  largest  that  any  algorithm,  which  does  not 
use  unforgeable  digital  signatures,  can  tolerate.) 

Our  algorithm  runs  in  rounds  (as  do  those  in  [29],  [24]  and  [33]),  resynchronizing  at 
each  round  to  correct  for  the  clocks  drifting  out  of  synchrony.  The  size  of  the 
adjustment  made  to  a  clock  at  each  round  is  independent  of  the  number  of  faulty 
processes.  At  each  round,  n2  messages  are  required,  where  n  is  the  total  number  of 
processes.  The  closeness  of  synchronization  achieved  depends  only  on  the  initial 
closeness  of  synchronization,  the  message  delivery  time  and  its  uncertainty,  and  the 
drift  rate.  We  give  explicit  bounds  on  how  the  difference  between  the  clock  values 
and  real  time  grows. 

At  the  beginning  of  each  round,  every  nonfaulty  process  broadcasts  its  clock  value 
and  then  waits  a  bounded  amount  of  time  on  its  clock,  long  enough  to  ensure  that 
clock  values  are  received  from  all  nonfaulty  processes.  After  waiting,  the  process 
averages  the  arrival  times  of  all  the  messages  received,  using  a  fault-tolerant 
averaging  function.  The  resulting  average  is  used  to  calculate  an  adjustment  to  the 
process’  clock. 

The  fault-tolerant  averaging  function  is  derived  from  those  used  in  [12]  for 
reaching  approximate  agreement.  The  function  is  designed  to  be  immune  to  some 
fixed  maximum  number,  f,  of  faults.  It  first  throws  out  the  f  highest  and  f  lowest 
values,  and  then  applies  some  ordinary  averaging  function  to  the  remaining  values. 
We  choose  the  midpoint  of  the  range  of  the  remaining  values,  to  be  specific.  The 
properties  of  the  fault  tolerant  averaging  function  allow  the  distance  between  the 
clocks  to  be  halved  (roughly)  at  each  round.  Consequently,  the  averaging  function 
can  be  considered  the  heart  of  the  algorithm. 

This  algorithm  can  maintain  a  closeness  of  synchronization  of  approximately  4 e, 
where  e  is  the  uncertainty  in  the  message  delivery  time. 
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1.  OVERVIEW 

This  year,  the  Theory  of  Distributed  Systems  Group  worked  a  large  variety  of 
individual  problems  within  the  theory  of  distributed  computing.  Particular  emphasis 
was  placed  on  problems  and  models  involving  time,  and  on  reliability  issues. 
Specifically,  we  studied  the  following  problems: 

(1)  Software  clock  synchronization, 

(2)  Foundations  of  a  theory  of  specification  for  distributed  systems, 

(3)  Distributed  consensus, 

(4)  Election  of  a  leader  in  a  distributed  ring  of  processors, 

(5)  Distributed  network  algorithms, 

(6)  Diagnosis  of  faulty  components,  and 

(7)  Distributed  network  resource  allocation. 

In  addition,  other  work,  not  directly  related  to  theory  of  distributed  computing, 
included: 

(8)  Unification, 

(9)  Combinatorics  and  graph  algorithms,  and 

(10)  Development  of  a  CLU  parser  generator. 

2.  SOFTWARE  CLOCK  SYNCHRONIZATION 

Jennifer  Lundelius  and  Nancy  Lynch  have  continued  work  during  the  past  year  on 
the  problem  of  synchronizing  clocks  in  a  distributed  system.  The  formal  model 
developed  earlier  to  describe  systems  of  distributed  processes  with  local  clocks  has 
been  polished  (and  a  simple  "language"  for  describing  processes  in  this  model  has 
been  developed).  Last  year’s  major  result,  a  lower  1  ound  on  the  closeness  with 
which  clocks  can  be  synchronized  in  the  presence  of  uncertainty  of  message  delay, 
has  been  written  up  this  year  and  submitted  for  publication  [31).  This  year's  major 
results  are  two  new  fault-tolerant  algorithms,  one  to  maintain  synchronization  among 
processes  whose  clocks  initially  are  close  together,  and  another  to  establish 
synchronization  in  the  first  place. 

In  our  model,  each  process  has  a  read  only  physical  clock.  By  adding  a  correction 
to  the  physical  clock  time,  the  process  obtains  a  local  time.  The  process  can  set  a 
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includes  that  of  Burns  [4j.  Dolev  et  al.  [11].  Frederickson  and  Lynch  [20],  Gallager  et 
al.  [22]  and  Peterson  [34]. 

Several  problems  that  require  reaching  common  knowledge  have  been  studied. 
The  problems  considered  include  that  of  deciding  distinctness  and  that  of  finding  a 
maiority  value  in  the  set  of  initial  values.  Lower  bounds  are  derived  in  [21],  primarily 
for  ring  networks.  Following  Frederickson  and  Lynch  [20],  we  consider  comparison 
algorithms  to  obtain  lower  bounds  on  message  complexity  for  these  problems.  For 
unrestricted  algorithms  the  bit  complexity  is  usually  of  interest.  We  study  it  for  the 
distinctness  problem,  using  the  technique  developed  in  Yao  [39].  The  problems 
considered  are  quite  fundamental:  algorithms  that  achieve  common  knowledge  often 
involve  one  of  them.  Thus,  it  is  believed  that  this  study  will  help  our  understanding  of 
the  complexity  of  other  problems  on  various  networks. 

The  sorting  problem  has  been  extensively  studied  for  sequential  algorithms;  in 
Zaks  [40]  such  a  study  is  made  for  distributed  networks.  We  study  the  problems  of 
sorting  and  ranking  processors  that  have  (not  necessarily  distinct)  initial  values. 
Assuming  a  tree  network,  an  algorithm  for  the  ranking  problem  is  presented  that 
uses,  in  the  worst  case,  a  number  of  messages  that  is  shown  to  be  best  possible.  The 
algorithm  is  then  extended  to  perform  sorting,  using  again  the  fewest  number  of 
messages  in  the  worst  case.  The  expected  behavior  of  these  algorithms  is  analyzed 
for  various  classes  of  trees.  The  ranking  algorithm  is  an  improvement  upon  the 
algorithm  in  Korach  et  al.  [27]  in  its  worst  case  performance,  its  average  case 
performance,  and  its  use  of  concurrency. 

Other  work  has  dealt  with  distributed  algorithms  for  a  complete  network.  For  such 
algorithms,  it  is  generally  assumed  that  a  node  cannot  distinguish  between  its 
incident  edges.  In  Korach  et  al.  [26].  [25]  this  model  is  used,  and  finding  a  spanning 
tree  is  shown  to  require  strictly  fewer  messages  than  finding  a  minimum  spanning 
tree  (thus  partially  answering  a  question  raised  by  Gallager  [22]).  In  Santoro  et  al. 
[37]  we  further  investiqate  the  ditference  between  the  problem  of  finding  a  minimum 
spanning  tree  and  finding  any  spanning  tree  when  the  underlying  network  is 
complete.  We  show  that  in  a  certain  model  of  a  complete  network  •  where  the 
processors  have  a  partial  in'ormation  of  where  the  edges  are  leading  to  •  the 
distinction  between  those  two  problems  is  even  more  profound;  namely,  spanning 
tree  is  shown  to  be  as  easy  as  possible  (linear  in  the  size  of  the  network),  while 
minimum  spanning  tree  is  shown  to  be  as  hard  as  possible  (quadratic  in  the  size). 

Some  of  the  preceding  work  [26]  will  be  presented  at  this  summer's  Symposium  on 
Principles  of  Distributed  Computing. 

Baruch  Awerbuch  has  been  working  on  the  problem  of  breadth-first  search  (BFS) 
in  a  distributed  network.  In  a  synchronous  network  there  exists  a  fairly  simple 
algorithm  which  performs  breadth  first  search  in  O(V)  time  and  0(E)  messages. 
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Surprisingly  enough,  performing  BFS  in  an  asynchronous  network  turns  out  to  be  a 
much  more  difficult  task.  Awerbuch  [2]  proposes  to  implement  BFS  by 
synchronizing  the  network  and  using  a  synchronous  algorithm.  This  approach  yields 
0(V**2)  messages  and  0(V  log  V)  time;  its  communication  cost  may  be  high  for 
sparse  networks.  The  algorithm  due  to  Fredrickson  [19]  requires  0(VE**1/2)  both 
in  terms  of  messages  and  time. 

Awerbuch  has  recently  found  a  new  distributed  BFS  algorithm,  which  requires  just 
0(E  +  V**1.6)  messages  and  time.  The  idea  of  the  algorithm  is  to  use  partial 
synchronization  and  to  change  the  degree  of  synchronization  according  to  the 
density  of  the  network.  An  open  question  is  whether  this  result  can  be  further 
improved. 


7.  DIAGNOSIS  OF  FAULTY  COMPONENTS 

Nancy  Lynch  has  been  collaborating  with  researchers  at  Draper  Laboratories,  on 

problems  of  fault-tolerance  arising  in  real-time  processing  systems  with  high 
reliability  requirements.  Among  the  problems  considered  was  a  problem  of 
diagnosing  and  replacing  faulty  components  in  a  long-lived  system,  where  the 
symptoms  of  faults  arise  for  pairs  of  components.  (For  example,  a  transmitter- 
receiver  pair  may  fail  to  complete  a  transmission  successfully,  but  it  might  not  be 
known  which  component  is  faulty.) 

The  problem  turns  out  to  be  formalizable  as  an  on-line  version  of  the  vertex  cover 
problem.  It  has  been  shown  that  a  trivial  deterministic  algorithm  exists  which  can 
achieve  a  worst-case  ratio  of  two  between  the  number  of  components  replaced  and 
the  number  actually  faulty.  Moreover,  no  deterministic  or  probabilistic  algorithm  can 
do  any  better.  (That  is,  no  probabilistic  algorithm  can  achieve  an  expected  ratio 
better  than  two,  where  the  expectation  is  taken  over  the  probabilistic  choices  in  the 
algorithm  only.) 

On  the  other  hand,  if  reasonable  probabilistic  assumptions  are  made  about  the 
patterns  of  occurrence  of  faults,  then  a  ratio  near  3/2  is  achievable. 

8.  DISTRIBUTED  NETWORK  RESOURCE  ALLOCATION 

Nancy  Lynch  collaborated  witti  Mike  Fischer  and  Nancy  Griffeth  in  completing 
some  older  work  on  optimal  allocation  of  resources  in  a  tree  network.  There  are  two 
sets  of  results.  The  first  [15]  deals  with  optimal  placements  of  resources  within  a 
tree;  the  placements  are  intendcJ  to  optimize  the  expected  cost  of  a  minimum 
matching  between  the  resources  and  requests  arriving  according  to  a  probability 
distribution.  A  new  result  obtained  this  year  is  an  upper  bound  on  the  expected  cost 
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of  certain  near-optimal  placements  within  arbitrary  trees.  (Previously,  we  only  had 
results  for  balanced  trees.) 

The  second  [16]  is  a  difficult  probabilistic  analysis  of  a  distributed  algorithm  which 
matches  arriving  requests  to  resources  placed  within  the  network.  This  analysis  has 
been  polished  up. 

The  following  work,  while  not  directly  related  to  the  theory  of  distributed 
computing,  was  carried  out  within  our  research  group. 

9.  UNIFICATION 

Cynthia  Dwork  has  collaborated  with  John  Mitchell  and  Paris  Kanellakis  in  work  on 
unification.  Unification  of  terms  is  an  important  step  in  resolution  theorem  proving 
[36]  with  applications  to  a  variety  of  symbolic  computation  problems.  In  particular, 
unification  is  used  in  PROLOG  interpreters  [6],  type  inference  algorithms  [33],  and 
term  rewriting  systems  [23]. 

Informally,  two  symbolic  terms  s  and  t  are  unifiable  if  there  is  some  way  of 
substituting  additional  terms  for  variables  in  s  and  t  so  that  both  become  the  same 
term.  All  occurrences  of  a  variable  x  in  both  s  and  t  must  be  replaced  by  the  same 
term.  For  example,  the  terms  f(x.x)  and  f(g(y),g(g(z)))  may  be  unified  by  substituting 
g(z)  for  y  and  g(g(z))  for  x.  A  unification  problem  like  "unify  f(t1,t2)  and  f(t3,t4)"  may 
be  decomposed  into  two  subproblems  "unify  tl  and  t3"  and  "unify  t2  and  t4". 
However,  these  two  problems  cannot  be  solved  entirely  separately  in  parallel.  If 
some  variable  x  occurs  in  both  tl  and  t4,  for  example,  then  the  solutions  to  the 
subproblems  must  be  coordinated  so  that  both  substitute  the  same  term  for  x. 

There  are  several  variations  of  the  unification  problem.  For  example,  a  type 
inference  ale,  rithm  may  construct  labeled  graphs  which  represent  terms  that  must 
be  unified.  acceptable  result  of  unification,  in  this  case,  may  be  a  labeled  graph 
with  a  cycle.  Labeled  graphs  with  cycles  represent  types  defined  by  recursion  [32], 
or,  if  interpreted  as  terms,  represent  "infinite  terms"  to  be  substituted  for  variables. 
Using  the  infinite  term  f(f(f(. ..))),  we  can  unify  x  and  f(x),  something  we  could  not  do 
otherwise.  Unrestricted  unification  also  appears  in  many  PROLOG  interpreters; 
those  omitting  the  occur  test  [6].  Anotner  variation  on  unification  is  the  special  case 
in  which  the  labeled  graphs  are  from  a  class  of  tree  like  directed  acyclic  graphs.  The 
complexity  of  unification  on  tree  like  graphs  is  precisely  the  complexity  of  unification 
on  symbolic  representations  of  terms,  as  opposed  to  the  complexity  as  a  function  of 
the  size  of  more  concise  graph  representations.  For  this  case  it  was  known  that 
unification  is  hard  for  co-NLOGSPACE  [30],  This  did  not  exclude  the  possibility  of 
fast  parallel  algorithms  (i.e.,  algorithms  requiring  time  poly-logarithmic  in  the  length 
of  the  input).  Moreover,  no  lower  bound  was  known  for  unrestricted  unification.  In 
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“On  the  Sequential  Nature  of  Unification",  Dwork,  Kanellakis,  and  Mitchell  ([14]) 
show  that  all  of  the  above  variants  of  unification  are  log-space  complete  for  P,  and 
hence  are  unlikely  to  have  fast  parallel  solutions. 

One  important  special  case  of  unification  can  be  solved  quickly  in  parallel.  This 
problem,  called  term  matching,  arises  in  term  rewriting.  A  term  s  matches  a  term  t  if  t 
is  a  substitution  instance  of  s.  The  rewrite  rule  I  ->  r  may  be  used  to  rewrite  a  term  t 
whenever  I  matches  t.  [14]  shows  that  matching  can  be  accomplished  in  log2n  time 
on  a  PRAM,  where  n  is  the  length  of  the  input,  using  a  number  of  processors 
polynomial  in  n.  The  algorithm  combines  parallel  transitive  closure  of  a  directed 
acyclic  graph  with  parallel  computation  of  connected  components  of  an  undirected 
graph.  Also,  matching  is  in  NLOGSPACE,  and  for  tree  like  graphs  it  is  in 
DLOGSPACE. 

10.  COMBINATORICS  AND  GRAPH  ALGORITHMS 

Shmuel  Zaks  has  worked  on  several  problems  involving  combinatorics  and  graph 
algorithms.  Revisions  have  been  made  in  [41]  and  [7].  The  paper  [41]  presents  a 

new  algorithm  for  generating  all  the  permutations  of  the  numbers  1 . n;  it  generates 

the  next  permutation  by  reversing  a  certain  suffix  of  its  predecessor.  In  [7]  a  very 
general  enumeration  formula  for  occurrences  of  patterns  in  certain  families  oi  trees 
(like  ordered  trees  or  binary  trees)  is  derived,  using  an  extension  of  the  Cycle  Lemma 
of  Dvoretzky  and  Motzkin  [13].  Many  known  results  in  this  area  fit  within  its 
framework.  This  formula  is  very  handy  in  analyzing  expected-time  behaviors  of 
algorithms  acting  on  these  families  of  trees. 

Using  a  new  correspondence  between  ordered  trees  and  non-crossing  partitions, 
and  using  results  previously  stated  in  terms  of  trees,  some  notes  are  made  in 
Dershowitz  and  Zaks  [8]  regarding  the  set  of  non-crossing  partitions. 

A  planarity  test  for  unflippable  modules  is  developed  in  Zaks  [42];  it  improves  upon 
a  previous  algorithm  of  Amir  [1]  in  two  aspects:  it  does  not  require  any  additional 
memory,  and  it  can  be  easily  implemented  by  a  parallel  algorithm. 


11.  ACLU  PARSER-GENERATOR 

Neil  Savasta  wrote  a  new  parser-generator  program,  patterned  after  the  widely- 
used  C  program  YACC.  This  new  program  was  integrated  into  the  undergraduate 
compiler  course  this  spring. 
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12.  PLANS 

The  Theory  of  Distributed  Systems  Group  plans  to  continue  working  on  problems 
involving  reliability  and  time  in  distributed  systems,  as  well  as  problems  involving 
particular  high-level  constructs  for  reliable  distributed  computing. 

Plans  for  the  coming  year  include  visits  by  Drs.  Baruch  Awerbuch,  James  Burns, 
Cynthia  Dwork,  Paris  Kanellakis  and  Michael  Merritt. 
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